diff --git a/.ansible-lint b/.ansible-lint index f2a7e7c..470d43e 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,6 +1,15 @@ parseable: true quiet: true skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - 'experimental' + - 'fqcn[action-core]' + - 'fqcn[action]' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' - '204' - '305' - '303' diff --git a/.yamllint b/.yamllint index 93378b9..33c0076 100755 --- a/.yamllint +++ b/.yamllint @@ -9,12 +9,26 @@ extends: default rules: indentation: + # Requiring 4 space indentation spaces: 4 - truthy: disable + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + #truthy: disable braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error + indentation: + indent-sequences: consistent + level: error line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false diff --git a/README.md b/README.md index c3635b2..d465c25 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,26 @@ -Windows Server 2019 CIS -========= +# Windows Server 2019 CIS + ![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2019-CIS?style=plastic) -Configure a Windows Server 2019 system to be CIS compliant. All findings will be audited by default. Non-disruptive Section 1, Section 2, Section 9, Section 17, Section 18, and Section 19 findings will be corrected by default. +Configure a Windows Server 2019 system to be [CIS](https://downloads.cisecurity.org/#/) compliant. + + Based on [CIS Microsoft Windows Server 2019 Benchmark v1.3.0 - 03-18-2022](https://learn.cisecurity.org/l/799323/2022-03-15/rshpk) + + ## Join us + + On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users + + ## Caution(s) -Caution(s) -------- This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. +This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. To use release version please point to main branch -Based on [Windows Server 2019 CIS v1.2.1 05-08-2021](https://downloads.cisecurity.org/#/). +Based on [Windows Server 2019 CIS v1.3.0 03-18-2022](https://downloads.cisecurity.org/#/). + +## Documentation -Documentation -------------- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
@@ -22,8 +28,8 @@ Documentation [Wiki](https://github.com/ansible-lockdown/Windows-2019-CIS/wiki)
[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2019-CIS/)
-Requirements ------------- +## Requirements + **General:** - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - [Main Ansible documentation page](https://docs.ansible.com) diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..c0d1d51 --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,4 @@ +--- + +collections: +- name: community.windows diff --git a/defaults/main.yml b/defaults/main.yml index 285a6c3..6005ded 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,31 +1,55 @@ --- -section01_patch: yes -section02_patch: yes -section09_patch: yes -section17_patch: yes -section18_patch: yes -section19_patch: yes + +# Section 1 Account Policies +# 1.1.x Password Policy, 1.2.x Account Lockout Policy +section01_patch: true + +# Section 2 Local Policies +# 2.2.x User Rights Assignment, 2.3.x Security Options +section02_patch: true + +# Section 5 System Services +# 5.x Printers +section05_patch: true + +# Section 9 Windows Defender Firewall with Advanced Security (formerly Windows Firewall with Advanced Security) +# 9.1.x Domain Profile, 9.2.x Private Profile, 9.3.x Public Profile +section09_patch: true + +# Section 17 Advanced Audit Policy Configuration +# 17.1.x Account Logon, 17.2.x Account Management, 17.3.x Detailed Tracking, 17.4.x DS Access, 17.5.x Logon/Logoff +# 17.6.x Object Access, 17.7.x Policy Change, 17.8.x Privilege Use, 17.9.x System +section17_patch: true + +# Section 18 Administrative Templates (Computer) +# 18.1.x Control Panel, 18.2.x LAPS, 18.3.x MS Security Guide, 18.4.x MSS (Legacy), 18.5.x Network, 18.6.x Printers +# 18.7.x Start Menu and Taskbar, 18.8.x System, 18.9.x Windows Components +section18_patch: true + +# Section 19 Administrative Templates (User) +# 19.1.x Control Panel, 19.5.x Start Menu and Taskbar, 19.6.x System, 19.7.x Windows Components +section19_patch: true min_ansible_version: "2.6" # We've defined complexity-high to mean that we cannot automatically remediate # the rule in question. In the future this might mean that the remediation # may fail in some cases. -complexity_high: no +complexity_high: false # Show "changed" for complex items not remediated per complexity-high setting # to make them stand out. "changed" items on a second run of the role would # indicate items requiring manual review. -audit_complex: yes +audit_complex: true # We've defined disruption-high to indicate items that are likely to cause # disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. -disruption_high: no +disruption_high: false # Show "changed" for disruptive items not remediated per disruption-high # setting to make them stand out. -audit_disruptive: yes +audit_disruptive: true skip_for_travis: false @@ -33,7 +57,7 @@ workaround_for_disa_benchmark: true workaround_for_ssg_benchmark: true # tweak role to run in a non-privileged container -system_is_container: no +system_is_container: false # set to false to skip tasks that either have not been developed or cannot be automated is_implemented: false @@ -180,6 +204,10 @@ rule_2_3_17_6: true rule_2_3_17_7: true rule_2_3_17_8: true +# section 5 +rule_5_1: true +rule_5_2: true + # section09 rule_9_1_1: true rule_9_1_2: true @@ -290,6 +318,9 @@ rule_18_5_20_1: true rule_18_5_20_2: true rule_18_5_21_1: true rule_18_5_21_2: true +rule_18_6_1: true +rule_18_6_2: true +rule_18_6_3: true rule_18_7_1_1: true rule_18_8_3_1: true rule_18_8_4_1: true @@ -301,6 +332,7 @@ rule_18_8_5_4: true rule_18_8_5_5: true rule_18_8_5_6: true rule_18_8_5_7: true +rule_18_8_7_2: true rule_18_8_14_1: true rule_18_8_21_2: true rule_18_8_21_3: true @@ -339,6 +371,7 @@ rule_18_8_36_1: true rule_18_8_36_2: true rule_18_8_37_1: true rule_18_8_37_2: true +rule_18_8_40_1: true rule_18_8_45_5_1: true rule_18_8_47_5_1: true rule_18_8_47_11_1: true @@ -353,14 +386,20 @@ rule_18_9_8_3: true rule_18_9_10_1_1: true rule_18_9_12_1: true rule_18_9_13_1: true -rule_18_9_13_2: true rule_18_9_14_1: true +rule_18_9_14_2: true rule_18_9_15_1: true rule_18_9_15_2: true rule_18_9_16_1: true rule_18_9_16_2: true -rule_18_9_16_3: true -rule_18_9_16_4: true +rule_18_9_17_1: true +rule_18_9_17_2: true +rule_18_9_17_3: true +rule_18_9_17_4: true +rule_18_9_17_5: true +rule_18_9_17_6: true +rule_18_9_17_7: true +rule_18_9_17_8: true rule_18_9_26_1_1: true rule_18_9_26_1_2: true rule_18_9_26_2_1: true @@ -381,14 +420,15 @@ rule_18_9_45_4_1_1: true rule_18_9_45_4_1_2: true rule_18_9_45_4_3_1: true rule_18_9_45_5_1: true -rule_18_9_45_8_1: true -rule_18_9_45_8_2: true -rule_18_9_45_8_3: true rule_18_9_45_10_1: true rule_18_9_45_11_1: true rule_18_9_45_11_2: true rule_18_9_45_14: true rule_18_9_45_15: true +rule_18_9_47_9_1: true +rule_18_9_47_9_2: true +rule_18_9_47_9_3: true +rule_18_9_47_9_4: true rule_18_9_55_1: true rule_18_9_62_2_2: true rule_18_9_62_3_2_1: true @@ -416,8 +456,6 @@ rule_18_9_85_1: true rule_18_9_85_2: true rule_18_9_85_3: true rule_18_9_86_1: true -rule_18_9_95_1: true -rule_18_9_95_2: true rule_18_9_97_1_1: true rule_18_9_97_1_2: true rule_18_9_97_1_3: true @@ -427,12 +465,14 @@ rule_18_9_97_2_3: true rule_18_9_97_2_4: true rule_18_9_98_1: true rule_18_9_99_2_1: true -rule_18_9_102_1_1: true -rule_18_9_102_1_2: true -rule_18_9_102_1_3: true -rule_18_9_102_2: true -rule_18_9_102_3: true -rule_18_9_102_4: true +rule_18_9_100_1: true +rule_18_9_100_2: true +rule_18_9_108_1_1: true +rule_18_9_108_2_1: true +rule_18_9_108_2_2: true +rule_18_9_108_4_1: true +rule_18_9_108_4_2: true +rule_18_9_108_4_3: true # section19 rule_19_1_3_1: true @@ -447,6 +487,7 @@ rule_19_7_8_1: true rule_19_7_8_2: true rule_19_7_8_3: true rule_19_7_8_4: true +rule_19_7_8_5: true rule_19_7_28_1: true rule_19_7_43_1: true rule_19_7_47_2_1: true @@ -470,11 +511,17 @@ sedebugprivilege: "*S-1-5-32-544" pass_age: 60 -lockoutduration: 15 -lockoutbadcount: 3 +# 1.2.2 +# lockoutbadcount must be 5 or few, but not 0 (zero) +lockoutbadcount: 5 + resetlockoutcount: 15 passwordhistorysize: 24 -maximumpasswordage: 60 + +# 1.1.2 +# maximumpasswordage must be 365 or fewer, but not 0 (zero) +maximumpasswordage: 365 + minimumpasswordage: 1 minimumpasswordlength: 14 @@ -509,7 +556,6 @@ legalnoticecaption: "DoD Notice and Consent Banner" # This is a variable to determine if Windows Manager should be included in this step increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}' - # 9.1.5 # domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log # This is a variable to give some leway on where to store these log files diff --git a/handlers/main.yml b/handlers/main.yml index 6e8efd4..bcc9fd2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,4 +1,5 @@ --- + - name: reboot_windows win_reboot: reboot_timeout: 3600 diff --git a/meta/main.yml b/meta/main.yml index 478487b..85b0cd9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,6 +5,7 @@ galaxy_info: company: "MindPoint Group" license: MIT role_name: windows_2019_cis + namespace: mindpointgroup min_ansible_version: 2.6 platforms: diff --git a/site.yml b/site.yml index 644ad68..2161d3d 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,6 @@ --- -- hosts: all - vars: - is_container: false + +- hosts: all # noqa: name[play] roles: - role: "{{ playbook_dir }}" - system_is_container: "{{ is_container | default(false) }}" diff --git a/tasks/main.yml b/tasks/main.yml index c3e0ed9..8b13cad 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -41,6 +41,12 @@ tags: - section02 +- name: Execute the section 5 tasks + import_tasks: section05.yml + when: section05_patch | bool + tags: + - section05 + - name: Execute the section 9 tasks import_tasks: section09.yml when: section09_patch | bool diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 78e5527..c4ab829 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -17,15 +17,15 @@ - name: set fact if domain member server set_fact: win2019cis_is_domain_member: true - when: + when: - ansible_windows_domain_role == 'Member server' - name: Get Windows installation type win_reg_stat: - path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion - name: InstallationType + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion + name: InstallationType register: get_windows_installation_type - name: Set Windows installation type set_fact: - windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" + windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" diff --git a/tasks/section01.yml b/tasks/section01.yml index 458f077..d29e514 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,7 +1,8 @@ --- -- name: "1.1.1 | PATCH | L1 | Ensure Enforce password history is set to 24 or more passwords" + +- name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords" block: - - name: "1.1.1 | AUDIT | L1 | Ensure Enforce password history is set to 24 or more passwords" + - name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords" assert: that: passwordhistorysize | int is version('24', '>=') fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" @@ -9,7 +10,7 @@ ignore_errors: true register: result - - name: "1.1.1 | PATCH | L1 | Ensure Enforce password history is set to 24 or more passwords" + - name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords" win_security_policy: section: System Access key: PasswordHistorySize @@ -21,22 +22,13 @@ - level1-memberserver - rule_1.1.1 - patch + - password -- name: "1.1.2 | PATCH | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" - block: - - name: "1.1.2 | AUDIT | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" - assert: - that: maximumpasswordage | int is version('60', '<=') - fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" - changed_when: false - ignore_errors: true - register: result - - - name: "1.1.2 | PATCH | L1 | Ensure Maximum password age is set to 60 or fewer days but not 0" - win_security_policy: - section: System Access - key: MaximumPasswordAge - value: "{{ maximumpasswordage }}" +- name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0" + win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ maximumpasswordage }}" when: - rule_1_1_2 tags: @@ -44,10 +36,11 @@ - level1-memberserver - rule_1.1.2 - patch + - password -- name: "1.1.3 | PATCH | L1 | Ensure Minimum password age is set to 1 or more days" +- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days" block: - - name: "1.1.3 | AUDIT | L1 | Ensure Minimum password age is set to 1 or more days" + - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days" assert: that: minimumpasswordage is version('1', '>=') fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" @@ -55,7 +48,7 @@ ignore_errors: true register: result - - name: "1.1.3 | PATCH | L1 | Ensure Minimum password age is set to 1 or more days" + - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days" win_security_policy: section: System Access key: MinimumPasswordAge @@ -67,10 +60,11 @@ - level1-memberserver - rule_1.1.3 - patch + - password -- name: "1.1.4 | PATCH | L1 | Ensure Minimum password length is set to 14 or more characters" +- name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" block: - - name: "1.1.4 | AUDIT | L1 | Ensure Minimum password length is set to 14 or more characters" + - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters" assert: that: minimumpasswordlength is version('14', '>=') fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" @@ -78,7 +72,7 @@ ignore_errors: true register: result - - name: "1.1.4 | PATCH | L1 | Ensure Minimum password length is set to 14 or more characters" + - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" win_security_policy: section: System Access key: MinimumPasswordLength @@ -90,8 +84,9 @@ - level1-memberserver - rule_1.1.4 - patch + - password -- name: "1.1.5 | PATCH | L1 | Ensure Password must meet complexity requirements is set to Enabled" +- name: "1.1.5 | PATCH | Ensure Password must meet complexity requirements is set to Enabled" win_security_policy: section: System Access key: PasswordComplexity @@ -103,8 +98,9 @@ - level1-memberserver - rule_1.1.5 - patch + - password -- name: "1.1.6 | PATCH | L1 | Ensure Store passwords using reversible encryption is set to Disabled" +- name: "1.1.6 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled" win_security_policy: section: System Access key: ClearTextPassword @@ -116,11 +112,27 @@ - level1-memberserver - rule_1.1.6 - patch + - password + +# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable +- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" + win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ lockoutbadcount }}" + when: + - rule_1_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_1.2.2 + - patch + - account # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp -- name: "1.2.1 | AUDIT | L1 | Ensure Account lockout duration is set to 15 or more minutes" +- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" block: - - name: "1.2.1 | AUDIT | L1 | Ensure Account lockout duration is set to 15 or more minutes" + - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" assert: that: lockoutduration | int is version('15', '<=') fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" @@ -128,7 +140,7 @@ ignore_errors: true register: result - - name: "1.2.1 | PATCH | L1 | Ensure Account lockout duration is set to 15 or more minutes" + - name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes" win_security_policy: section: System Access key: LockoutDuration @@ -141,24 +153,11 @@ - level1-memberserver - rule_1.2.1 - patch + - account -# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -- name: "1.2.2 | PATCH | L1 | Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" - win_security_policy: - section: System Access - key: LockoutBadCount - value: "{{ lockoutbadcount }}" - when: - - rule_1_2_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.2 - - patch - -- name: "1.2.3 | PATCH | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" +- name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes" block: - - name: "1.2.3 | AUDIT | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" + - name: "1.2.3 | AUDIT | Ensure Reset account lockout counter after is set to 15 or more minutes" assert: that: resetlockoutcount | int is version('15', '>=') fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" @@ -166,7 +165,7 @@ ignore_errors: true register: result - - name: "1.2.3 | PATCH | L1 | Ensure Reset account lockout counter after is set to 15 or more minutes" + - name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes" win_security_policy: section: System Access key: ResetLockoutCount @@ -178,3 +177,4 @@ - level1-memberserver - rule_1.2.3 - patch + - account diff --git a/tasks/section02.yml b/tasks/section02.yml index 2f8b9a3..9d7b936 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,5 +1,6 @@ --- -- name: "2.2.1 | PATCH | L1 | Ensure Access Credential Manager as a trusted caller is set to No One" + +- name: "2.2.1 | PATCH | Ensure Access Credential Manager as a trusted caller is set to No One" win_user_right: name: SeTrustedCredManAccessPrivilege users: [] @@ -11,8 +12,9 @@ - level1-memberserver - rule_2.2.1 - patch + - userrights -- name: "2.2.2 & 2.2.3 | PATCH | L1 | Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" +- name: "2.2.2 & 2.2.3 | PATCH | Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" win_user_right: name: SeNetworkLogonRight users: @@ -28,8 +30,9 @@ - rule_2.2.2 - rule_2.2.3 - patch + - userrights -- name: "2.2.4 | PATCH | L1 | Ensure Act as part of the operating system is set to No One" +- name: "2.2.4 | PATCH | Ensure Act as part of the operating system is set to No One" win_user_right: name: SeTcbPrivilege users: [] @@ -41,8 +44,9 @@ - level1-memberserver - rule_2.2.4 - patch + - userrights -- name: "2.2.5 | PATCH | L1 | Ensure Add workstations to domain is set to Administrators DC only" +- name: "2.2.5 | PATCH | Ensure Add workstations to domain is set to Administrators DC only" win_user_right: name: SeMachineAccountPrivilege users: Administrators @@ -54,8 +58,9 @@ - level1-domaincontroller - rule_2.2.5 - patch + - userrights -- name: "2.2.6 | PATCH | L1 | Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.6 | PATCH | Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeIncreaseQuotaPrivilege users: @@ -70,8 +75,9 @@ - level1-memberserver - rule_2.2.6 - patch + - userrights -- name: "2.2.7 | PATCH | L1 | Ensure Allow log on locally is set to Administrators" +- name: "2.2.7 | PATCH | Ensure Allow log on locally is set to Administrators" win_user_right: name: SeInteractiveLogonRight users: @@ -84,8 +90,9 @@ - level1-memberserver - rule_2.2.7 - patch + - userrights -- name: "2.2.8 & 2.2.9 | PATCH | L1 | Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" +- name: "2.2.8 & 2.2.9 | PATCH | Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" win_user_right: name: SeRemoteInteractiveLogonRight users: @@ -101,8 +108,9 @@ - rule_2.2.8 - rule_2.2.9 - patch + - userrights -- name: "2.2.10 | PATCH | L1 | Ensure Back up files and directories is set to Administrators" +- name: "2.2.10 | PATCH | Ensure Back up files and directories is set to Administrators" win_user_right: name: SeBackupPrivilege users: @@ -115,8 +123,9 @@ - level1-memberserver - rule_2.2.10 - patch + - userrights -- name: "2.2.11 | PATCH | L1 | Ensure Change the system time is set to Administrators LOCAL SERVICE" +- name: "2.2.11 | PATCH | Ensure Change the system time is set to Administrators LOCAL SERVICE" win_user_right: name: SeSystemTimePrivilege users: @@ -131,7 +140,7 @@ - rule_2.2.11 - patch -- name: "2.2.12 | PATCH | L1 | Ensure Change the time zone is set to Administrators LOCAL SERVICE" +- name: "2.2.12 | PATCH | Ensure Change the time zone is set to Administrators LOCAL SERVICE" win_user_right: name: SeTimeZonePrivilege users: @@ -145,8 +154,9 @@ - level1-memberserver - rule_2.2.12 - patch + - userrights -- name: "2.2.13 | PATCH | L1 | Ensure Create a pagefile is set to Administrators" +- name: "2.2.13 | PATCH | Ensure Create a pagefile is set to Administrators" win_user_right: name: SeCreatePagefilePrivilege users: @@ -159,8 +169,9 @@ - level1-memberserver - rule_2.2.13 - patch + - userrights -- name: "2.2.14 | PATCH | L1 | Ensure Create a token object is set to No One" +- name: "2.2.14 | PATCH | Ensure Create a token object is set to No One" win_user_right: name: SeCreateTokenPrivilege users: [] @@ -172,8 +183,9 @@ - level1-memberserver - rule_2.2.14 - patch + - userrights -- name: "2.2.15 | PATCH | L1 | Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" +- name: "2.2.15 | PATCH | Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" win_user_right: name: SeCreateGlobalPrivilege users: @@ -189,8 +201,9 @@ - level1-memberserver - rule_2.2.15 - patch + - userrights -- name: "2.2.16 | PATCH | L1 | Ensure Create permanent shared objects is set to No One" +- name: "2.2.16 | PATCH | Ensure Create permanent shared objects is set to No One" win_user_right: name: SeCreatePermanentPrivilege users: [] @@ -202,8 +215,9 @@ - level1-memberserver - rule_2.2.16 - patch + - userrights -- name: "2.2.17 | PATCH | L1 | Ensure Create symbolic links is set to Administrators DC only" +- name: "2.2.17 | PATCH | Ensure Create symbolic links is set to Administrators DC only" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -216,8 +230,9 @@ - level1-domaincontroller - rule_2.2.17 - patch + - userrights -- name: "2.2.18 | PATCH | L1 | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" +- name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" block: - name: "2.2.18 | PATCH | (L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | No Hyper-v" win_user_right: @@ -227,7 +242,7 @@ action: set when: not is_hyperv_installed - - name: "2.2.18 | PATCH | L1 | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" + - name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -242,8 +257,9 @@ - level1-memberserver - rule_2.2.18 - patch + - userrights -- name: "2.2.19 | PATCH | L1 | Ensure Debug programs is set to Administrators" +- name: "2.2.19 | PATCH | Ensure Debug programs is set to Administrators" win_user_right: name: SeDebugPrivilege users: @@ -256,9 +272,10 @@ - level1-memberserver - rule_2.2.19 - patch + - userrights # Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes -- name: "2.2.20 | PATCH | L1 | Ensure Deny access to this computer from the network to include Guests DC only" +- name: "2.2.20 | PATCH | Ensure Deny access to this computer from the network to include Guests DC only" win_user_right: name: SeDenyNetworkLogonRight users: @@ -271,8 +288,9 @@ - level1-domaincontroller - rule_2.2.20 - patch + - userrights -- name: "2.2.21 | PATCH | L1 | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" +- name: "2.2.21 | PATCH | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" win_user_right: name: SeDenyNetworkLogonRight users: @@ -287,8 +305,9 @@ - level1-memberserver - rule_2.2.21 - patch + - userrights -- name: "2.2.22 | PATCH | L1 | Ensure Deny log on as a batch job to include Guests" +- name: "2.2.22 | PATCH | Ensure Deny log on as a batch job to include Guests" win_user_right: name: SeDenyBatchLogonRight users: @@ -301,8 +320,9 @@ - level1-memberserver - rule_2.2.22 - patch + - userrights -- name: "2.2.23 | PATCH | L1 | Ensure Deny log on as a service to include Guests" +- name: "2.2.23 | PATCH | Ensure Deny log on as a service to include Guests" win_user_right: name: SeDenyServiceLogonRight users: @@ -315,8 +335,9 @@ - level1-memberserver - rule_2.2.23 - patch + - userrights -- name: "2.2.24 | PATCH | L1 | Ensure Deny log on locally to include Guests" +- name: "2.2.24 | PATCH | Ensure Deny log on locally to include Guests" win_user_right: name: SeDenyInteractiveLogonRight users: @@ -329,8 +350,9 @@ - level1-memberserver - rule_2.2.24 - patch + - userrights -- name: "2.2.25 | PATCH | L1 | Ensure Deny log on through Remote Desktop Services to include Guests DC only" +- name: "2.2.25 | PATCH | Ensure Deny log on through Remote Desktop Services to include Guests DC only" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -344,8 +366,9 @@ - level1-domaincontroller - rule_2.2.25 - patch + - guest -- name: "2.2.26 | PATCH | L1 | Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" +- name: "2.2.26 | PATCH | Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -359,8 +382,9 @@ - level1-memberserver - rule_2.2.26 - patch + - guest -- name: "2.2.27 | PATCH | L1 | Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" +- name: "2.2.27 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" win_user_right: name: SeEnableDelegationPrivilege users: Administrators @@ -373,8 +397,10 @@ - level1-domaincontroller - rule_2.2.27 - patch + - userrights + - administrators -- name: "2.2.28 | PATCH | L1 | Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" +- name: "2.2.28 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" win_user_right: name: SeEnableDelegationPrivilege users: [] @@ -386,8 +412,9 @@ - level1-memberserver - rule_2.2.28 - patch + - userrights -- name: "2.2.29 | PATCH | L1 | Ensure Force shutdown from a remote system is set to Administrators" +- name: "2.2.29 | PATCH | Ensure Force shutdown from a remote system is set to Administrators" win_user_right: name: SeRemoteShutdownPrivilege users: @@ -400,8 +427,10 @@ - level1-memberserver - rule_2.2.29 - patch + - userrights + - administrators -- name: "2.2.30 | PATCH | L1 | Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.30 | PATCH | Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeAuditPrivilege users: @@ -415,8 +444,10 @@ - level1-memberserver - rule_2.2.30 - patch + - userrights + - services -- name: "2.2.31 | PATCH | L1 | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" +- name: "2.2.31 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" win_user_right: name: SeImpersonatePrivilege users: @@ -432,8 +463,11 @@ - level1-domaincontroller - rule_2.2.31 - patch + - userrights + - services + - administrators -- name: "2.2.32 | PATCH | L1 | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" +- name: "2.2.32 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" win_user_right: name: SeImpersonatePrivilege users: @@ -450,8 +484,11 @@ - level1-memberserver - rule_2.2.32 - patch + - userrights + - administrators + - services -- name: "2.2.33 | PATCH | L1 | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" +- name: "2.2.33 | PATCH | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" win_user_right: name: SeIncreaseBasePriorityPrivilege users: "{{ increase_scheduling_priority_users }}" @@ -463,8 +500,9 @@ - level1-memberserver - rule_2.2.33 - patch + - userrights -- name: "2.2.34 | PATCH | L1 | Ensure Load and unload device drivers is set to Administrators" +- name: "2.2.34 | PATCH | Ensure Load and unload device drivers is set to Administrators" win_user_right: name: SeLoadDriverPrivilege users: @@ -477,8 +515,9 @@ - level1-memberserver - rule_2.2.34 - patch + - userrights -- name: "2.2.35 | PATCH | L1 | Ensure Lock pages in memory is set to No One" +- name: "2.2.35 | PATCH | Ensure Lock pages in memory is set to No One" win_user_right: name: SeLockMemoryPrivilege users: [] @@ -490,8 +529,9 @@ - level1-memberserver - rule_2.2.35 - patch + - userrights -- name: "2.2.36 | PATCH | L2 | Ensure Log on as a batch job is set to Administrators DC Only" +- name: "2.2.36 | PATCH | Ensure Log on as a batch job is set to Administrators DC Only" win_user_right: name: SeBatchLogonRight users: Administrators @@ -503,8 +543,10 @@ - level2-domaincontroller - rule_2.2.36 - patch + - userrights + - administrators -- name: "2.2.37 & 2.2.38 | PATCH | L1 | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" +- name: "2.2.37 & 2.2.38 | PATCH | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" win_user_right: name: SeSecurityPrivilege users: @@ -519,8 +561,10 @@ - rule_2.2.37 - rule_2.2.38 - patch + - userrights + - administrators -- name: "2.2.39 | PATCH | L1 | Ensure Modify an object label is set to No One" +- name: "2.2.39 | PATCH | Ensure Modify an object label is set to No One" win_user_right: name: SeReLabelPrivilege users: [] @@ -532,8 +576,9 @@ - level1-memberserver - rule_2.2.39 - patch + - userrights -- name: "2.2.40 | PATCH | L1 | Ensure Modify firmware environment values is set to Administrators" +- name: "2.2.40 | PATCH | Ensure Modify firmware environment values is set to Administrators" win_user_right: name: SeSystemEnvironmentPrivilege users: @@ -546,8 +591,10 @@ - level1-memberserver - rule_2.2.40 - patch + - userrights + - administrators -- name: "2.2.41 | PATCH | L1 | Ensure Perform volume maintenance tasks is set to Administrators" +- name: "2.2.41 | PATCH | Ensure Perform volume maintenance tasks is set to Administrators" win_user_right: name: SeManageVolumePrivilege users: @@ -560,8 +607,10 @@ - level1-memberserver - rule_2.2.41 - patch + - userrights + - administrators -- name: "2.2.42 | PATCH | L1 | Ensure Profile single process is set to Administrators" +- name: "2.2.42 | PATCH | Ensure Profile single process is set to Administrators" win_user_right: name: SeProfileSingleProcessPrivilege users: @@ -574,8 +623,10 @@ - level1-memberserver - rule_2.2.42 - patch + - userrights + - administrators -- name: "2.2.43 | PATCH | L1 | Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" +- name: "2.2.43 | PATCH | Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" win_user_right: name: SeSystemProfilePrivilege users: @@ -589,8 +640,11 @@ - level1-memberserver - rule_2.2.43 - patch + - userrights + - administrator + - service -- name: "2.2.44 | PATCH | L1 | Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" +- name: "2.2.44 | PATCH | Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: name: SeAssignPrimaryTokenPrivilege users: @@ -604,8 +658,10 @@ - level1-memberserver - rule_2.2.44 - patch + - userrights + - service -- name: "2.2.45 | PATCH | L1 | Ensure Restore files and directories is set to Administrators" +- name: "2.2.45 | PATCH | Ensure Restore files and directories is set to Administrators" win_user_right: name: SeRestorePrivilege users: @@ -618,8 +674,10 @@ - level1-memberserver - rule_2.2.45 - patch + - userright + - administrator -- name: "2.2.46 | PATCH | L1 | Ensure Shut down the system is set to Administrators" +- name: "2.2.46 | PATCH | Ensure Shut down the system is set to Administrators" win_user_right: name: SeShutdownPrivilege users: @@ -632,8 +690,10 @@ - level1-memberserver - rule_2.2.46 - patch + - userright + - administrator -- name: "2.2.47 | PATCH | L1 | Ensure Synchronize directory service data is set to No One DC only" +- name: "2.2.47 | PATCH | Ensure Synchronize directory service data is set to No One DC only" win_user_right: name: SeSyncAgentPrivilege users: [] @@ -645,8 +705,9 @@ - level1-domaincontroller - rule_2.2.47 - patch + - userright -- name: "2.2.48 | PATCH | L1 | Ensure Take ownership of files or other objects is set to Administrators" +- name: "2.2.48 | PATCH | Ensure Take ownership of files or other objects is set to Administrators" win_user_right: name: SeTakeOwnershipPrivilege users: @@ -659,8 +720,10 @@ - level1-memberserver - rule_2.2.48 - patch + - userright + - administrator -- name: "2.3.1.1 | PATCH | L1 | Ensure Accounts Administrator account status is set to Disabled MS only" +- name: "2.3.1.1 | PATCH | Ensure Accounts Administrator account status is set to Disabled MS only" win_security_policy: section: System Access key: EnableAdminAccount @@ -673,8 +736,9 @@ - level1-memberserver - rule_2.3.1.1 - patch + - securitypolicy -- name: "2.3.1.2 | PATCH | L1 | Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" +- name: "2.3.1.2 | PATCH | Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: NoConnectedUser @@ -687,8 +751,9 @@ - level1-memberserver - rule_2.3.1.2 - patch + - securitypolicy -- name: "2.3.1.3 | PATCH | L1 | Ensure Accounts Guest account status is set to Disabled MS only" +- name: "2.3.1.3 | PATCH | Ensure Accounts Guest account status is set to Disabled MS only" win_security_policy: section: System Access key: EnableGuestAccount @@ -699,8 +764,9 @@ - level1-memberserver - rule_2.3.1.3 - patch + - securitypolicy -- name: "2.3.1.4 | PATCH | L1 | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" +- name: "2.3.1.4 | PATCH | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LimitBlankPasswordUse @@ -713,8 +779,9 @@ - level1-memberserver - rule_2.3.1.4 - patch + - account -- name: "2.3.1.5 | PATCH | L1 | Configure Accounts Rename administrator account" +- name: "2.3.1.5 | PATCH | Configure Accounts Rename administrator account" win_security_policy: section: System Access key: newadministratorname @@ -727,8 +794,9 @@ - level1-memberserver - rule_2.3.1.5 - patch + - securitypolicy -- name: "2.3.1.6 | PATCH | L1 | Configure Accounts Rename guest account" +- name: "2.3.1.6 | PATCH | Configure Accounts Rename guest account" win_security_policy: section: System Access key: NewGuestName @@ -740,8 +808,9 @@ - level1-memberservers - rule_2.3.1.6 - patch + - securitypolicy -- name: "2.3.2.1 | PATCH | L1 | Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" +- name: "2.3.2.1 | PATCH | Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: SCENoApplyLegacyAuditPolicy @@ -754,8 +823,9 @@ - level1-memberserver - rule_2.3.2.1 - patch + - auditpolicy -- name: "2.3.2.2 | PATCH | L1 | Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" +- name: "2.3.2.2 | PATCH | Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: CrashOnAuditFail @@ -768,8 +838,9 @@ - level1-memberserver - rule_2.3.2.2 - patch + - auditpolicy -- name: "2.3.4.1 | PATCH | L1 | Ensure Devices Allowed to format and eject removable media is set to Administrators" +- name: "2.3.4.1 | PATCH | Ensure Devices Allowed to format and eject removable media is set to Administrators" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: AllocateDASD @@ -782,8 +853,9 @@ - level1-memberserver - rule_2.3.4.1 - patch + - devices -- name: "2.3.4.2 | PATCH | L1 | Ensure Devices Prevent users from installing printer drivers is set to Enabled" +- name: "2.3.4.2 | PATCH | Ensure Devices Prevent users from installing printer drivers is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers name: AddPrinterDrivers @@ -796,8 +868,9 @@ - level1-memberserver - rule_2.3.4.2 - patch + - devices -- name: "2.3.5.1 | PATCH | L1 | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" +- name: "2.3.5.1 | PATCH | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: SubmitControl @@ -811,8 +884,9 @@ - level1-domaincontroller - rule_2.3.5.1 - patch + - scheduledtasks -- name: "2.3.5.2 | PATCH | L1 | Ensure Domain controller Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured DC only" +- name: "2.3.5.2 | PATCH | Ensure Domain controller Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters name: VulnerableChannelAllowList @@ -826,8 +900,9 @@ - level1-domaincontroller - rule_2.3.5.2 - patch + - logon -- name: "2.3.5.3 | PATCH | L1 | Ensure Domain controller LDAP server channel binding token requirements' is set to 'Always' DC only" +- name: "2.3.5.3 | PATCH | Ensure Domain controller LDAP server channel binding token requirements' is set to 'Always' DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters name: LdapEnforceChannelBinding @@ -841,8 +916,9 @@ - level1-domaincontroller - rule_2.3.5.3 - patch + - ladp -- name: "2.3.5.4 | PATCH | L1 | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" +- name: "2.3.5.4 | PATCH | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters name: LDAPServerIntegrity @@ -855,8 +931,9 @@ - level1-domaincontroller - rule_2.3.5.4 - patch + - ladp -- name: "2.3.5.5 | PATCH | L1 | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" +- name: "2.3.5.5 | PATCH | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" win_regedit: path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters name: RefusePasswordChange @@ -870,8 +947,9 @@ - level1-domaincontroller - rule_2.3.5.5 - patch + - account -- name: "2.3.6.1 | PATCH | L1 | Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" +- name: "2.3.6.1 | PATCH | Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: RequireSignOrSeal @@ -886,8 +964,9 @@ - level1-memberserver - rule_2.3.6.1 - patch + - encryption -- name: "2.3.6.2 | PATCH | L1 | Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" +- name: "2.3.6.2 | PATCH | Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: sealsecurechannel @@ -902,8 +981,9 @@ - level1-memberserver - rule_2.3.6.2 - patch + - encryption -- name: "2.3.6.3 | PATCH | L1 | Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" +- name: "2.3.6.3 | PATCH | Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: signsecurechannel @@ -917,8 +997,9 @@ - level1-memberserver - rule_2.3.6.3 - patch + - logon -- name: "2.3.6.4 | PATCH | L1 | Ensure Domain member Disable machine account password changes is set to Disabled" +- name: "2.3.6.4 | PATCH | Ensure Domain member Disable machine account password changes is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: disablepasswordchange @@ -932,8 +1013,9 @@ - level1-memberserver - rule_2.3.6.4 - patch + - logon -- name: "2.3.6.5 | PATCH | L1 | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" +- name: "2.3.6.5 | PATCH | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: MaximumPasswordAge @@ -947,8 +1029,9 @@ - level1-memberserver - rule_2.3.6.5 - patch + - account -- name: "2.3.6.6 | PATCH | L1 | Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" +- name: "2.3.6.6 | PATCH | Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: RequireStrongKey @@ -962,8 +1045,9 @@ - level1-memberserver - rule_2.3.6.6 - patch + - logon -- name: "2.3.7.1 | PATCH | L1 | Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" +- name: "2.3.7.1 | PATCH | Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableCAD @@ -976,8 +1060,9 @@ - level1-memberserver - rule_2.3.7.1 - patch + - logon -- name: "2.3.7.2 | PATCH | L1 | Ensure Interactive logon Dont display last signed-in is set to Enabled" +- name: "2.3.7.2 | PATCH | Ensure Interactive logon Dont display last signed-in is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DontDisplayLastUserName @@ -990,8 +1075,9 @@ - level1-memberserver - rule_2.3.7.2 - patch + - logon -- name: "2.3.7.3 | PATCH | L1 | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" +- name: "2.3.7.3 | PATCH | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: InactivityTimeoutSecs @@ -1004,8 +1090,9 @@ - level1-memberserver - rule_2.3.7.3 - patch + - logon -- name: "2.3.7.4 | PATCH | L1 | Configure Interactive logon Message text for users attempting to log on" +- name: "2.3.7.4 | PATCH | Configure Interactive logon Message text for users attempting to log on" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeText @@ -1018,8 +1105,9 @@ - level1-memberserver - rule_2.3.7.4 - patch + - logon -- name: "2.3.7.5 | PATCH | L1 | Configure Interactive logon Message title for users attempting to log on" +- name: "2.3.7.5 | PATCH | Configure Interactive logon Message title for users attempting to log on" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeCaption @@ -1032,8 +1120,9 @@ - level1-memberserver - rule_2.3.7.5 - patch + - logon -- name: "2.3.7.6 | PATCH | L2 | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" +- name: "2.3.7.6 | PATCH | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: cachedlogonscount @@ -1045,8 +1134,9 @@ - level2-memberserver - rule_2.3.7.6 - patch + - logon -- name: "2.3.7.7 | PATCH | L1 | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" +- name: "2.3.7.7 | PATCH | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: PasswordExpiryWarning @@ -1059,8 +1149,9 @@ - level1-memberserver - rule_2.3.7.7 - patch + - logon -- name: "2.3.7.8 | PATCH | L1 | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" +- name: "2.3.7.8 | PATCH | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ForceUnlockLogon @@ -1073,8 +1164,9 @@ - level1-memberserver - rule_2.3.7.8 - patch + - logon -- name: "2.3.7.9 | PATCH | L1 | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" +- name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: scremoveoption @@ -1087,8 +1179,9 @@ - level1-memberserver - rule_2.3.7.9 - patch + - logon -- name: "2.3.8.1 | PATCH | L1 | Ensure Microsoft network client Digitally sign communications always is set to Enabled" +- name: "2.3.8.1 | PATCH | Ensure Microsoft network client Digitally sign communications always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: RequireSecuritySignature @@ -1101,8 +1194,9 @@ - level1-memberserver - rule_2.3.8.1 - patch + - logon -- name: "2.3.8.2 | PATCH | L1 | Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" +- name: "2.3.8.2 | PATCH | Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnableSecuritySignature @@ -1115,8 +1209,9 @@ - level1-memberserver - rule_2.3.8.2 - patch + - logon -- name: "2.3.8.3 | PATCH | L1 | Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" +- name: "2.3.8.3 | PATCH | Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnablePlainTextPassword @@ -1129,8 +1224,9 @@ - level1-memberserver - rule_2.3.8.3 - patch + - encryption -- name: "2.3.9.1 | PATCH | L1 | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" +- name: "2.3.9.1 | PATCH | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: autodisconnect @@ -1143,8 +1239,9 @@ - level1-memberserver - rule_2.3.9.1 - patch + - account -- name: "2.3.9.2 | PATCH | L1 | Ensure Microsoft network server Digitally sign communications always is set to Enabled" +- name: "2.3.9.2 | PATCH | Ensure Microsoft network server Digitally sign communications always is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: requiresecuritysignature @@ -1157,8 +1254,9 @@ - level1-memberserver - rule_2.3.9.2 - patch + - account -- name: "2.3.9.3 | PATCH | L1 | Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" +- name: "2.3.9.3 | PATCH | Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: enablesecuritysignature @@ -1171,8 +1269,9 @@ - level1-memberserver - rule_2.3.9.3 - patch + - account -- name: "2.3.9.4 | PATCH | L1 | Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" +- name: "2.3.9.4 | PATCH | Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: enableforcedlogoff @@ -1185,8 +1284,9 @@ - level1-memberserver - rule_2.3.9.4 - patch + - account -- name: "2.3.9.5 | PATCH | L1 | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" +- name: "2.3.9.5 | PATCH | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: SMBServerNameHardeningLevel @@ -1200,8 +1300,9 @@ - level1-memberserver - rule_2.3.9.5 - patch + - account -- name: "2.3.10.1 | PATCH | L1 | Ensure Network access Allow anonymous SIDName translation is set to Disabled" +- name: "2.3.10.1 | PATCH | Ensure Network access Allow anonymous SIDName translation is set to Disabled" win_security_policy: section: System Access key: LSAAnonymousNameLookup @@ -1213,8 +1314,9 @@ - level1-memberserver - rule_2.3.10.1 - patch + - securitypolicy -- name: "2.3.10.2 | PATCH | L1 | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" +- name: "2.3.10.2 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymousSAM @@ -1227,8 +1329,9 @@ - level1-memberserver - rule_2.3.10.2 - patch + - sam -- name: "2.3.10.3 | PATCH | L1 | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" +- name: "2.3.10.3 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymous @@ -1241,8 +1344,9 @@ - level1-memberserver - rule_2.3.10.3 - patch + - sam -- name: "2.3.10.4 | PATCH | L2 | Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" +- name: "2.3.10.4 | PATCH | Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: DisableDomainCreds @@ -1255,8 +1359,9 @@ - level2-memberserver - rule_2.3.10.4 - patch + - accounts -- name: "2.3.10.5 | PATCH | L1 | Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" +- name: "2.3.10.5 | PATCH | Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: EveryoneIncludesAnonymous @@ -1269,8 +1374,9 @@ - level1-memberserver - rule_2.3.10.5 - patch + - accounts -- name: "2.3.10.6 | PATCH | L1 | Configure Network access Named Pipes that can be accessed anonymously DC only" +- name: "2.3.10.6 | PATCH | Configure Network access Named Pipes that can be accessed anonymously DC only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes @@ -1283,8 +1389,9 @@ - level1-domaincontroller - rule_2.3.10.6 - patch + - namedpipes -- name: "2.3.10.7 | PATCH | L1 | Configure Network access Named Pipes that can be accessed anonymously MS only" +- name: "2.3.10.7 | PATCH | Configure Network access Named Pipes that can be accessed anonymously MS only" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes @@ -1297,8 +1404,9 @@ - level1-memberserver - rule_2.3.10.7 - patch + - namedpipes -- name: "2.3.10.8 | PATCH | L1 | Configure Network access Remotely accessible registry paths" +- name: "2.3.10.8 | PATCH | Configure Network access Remotely accessible registry paths" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths name: "Machine" @@ -1312,7 +1420,7 @@ - rule_2.3.10.8 - patch -- name: "2.3.10.9 | PATCH | L1 | Configure Network access Remotely accessible registry paths and sub-paths" +- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths name: "Machine" @@ -1326,7 +1434,7 @@ - rule_2.3.10.9 - patch -- name: "2.3.10.10 | PATCH | L1 | Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" +- name: "2.3.10.10 | PATCH | Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: RestrictNullSessAccess @@ -1339,8 +1447,9 @@ - level1-memberserver - rule_2.3.10.10 - patch + - namedpipes -- name: "2.3.10.11 | PATCH | L1 | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" +- name: "2.3.10.11 | PATCH | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: RestrictRemoteSAM @@ -1352,8 +1461,9 @@ - level1-memberserver - rule_2.3.10.11 - patch + - sam -- name: "2.3.10.12 | PATCH | L1 | Ensure Network access Shares that can be accessed anonymously is set to None" +- name: "2.3.10.12 | PATCH | Ensure Network access Shares that can be accessed anonymously is set to None" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionShares @@ -1366,8 +1476,9 @@ - level1-memberserver - rule_2.3.10.12 - patch + - shares -- name: "2.3.10.13 | PATCH | L1 | Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" +- name: "2.3.10.13 | PATCH | Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: ForceGuest @@ -1380,8 +1491,9 @@ - level1-memberserver - rule_2.3.10.13 - patch + - guest -- name: "2.3.11.1 | PATCH | L1 | Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" +- name: "2.3.11.1 | PATCH | Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: UseMachineId @@ -1394,8 +1506,9 @@ - level1-memberserver - rule_2.3.11.1 - patch + - ntlm -- name: "2.3.11.2 | PATCH | L1 | Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" +- name: "2.3.11.2 | PATCH | Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: allownullsessionfallback @@ -1408,8 +1521,9 @@ - level1-memberserver - rule_2.3.11.2 - patch + - localsystem -- name: "2.3.11.3 | PATCH | L1 | Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" +- name: "2.3.11.3 | PATCH | Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U name: AllowOnlineID @@ -1422,8 +1536,9 @@ - level1-memberserver - rule_2.3.11.3 - patch + - authentication -- name: "2.3.11.4 | PATCH | L1 | Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" +- name: "2.3.11.4 | PATCH | Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters name: SupportedEncryptionTypes @@ -1436,8 +1551,9 @@ - level1-memberserver - rule_2.3.11.4 - patch + - encryption -- name: "2.3.11.5 | PATCH | L1 | Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" +- name: "2.3.11.5 | PATCH | Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: NoLMHash @@ -1450,8 +1566,9 @@ - level1-memberserver - rule_2.3.11.5 - patch + - network -- name: "2.3.11.6 | PATCH | L1 | Ensure Network security Force logoff when logon hours expire is set to Enabled" +- name: "2.3.11.6 | PATCH | Ensure Network security Force logoff when logon hours expire is set to Enabled" win_regedit: path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters name: EnableForcedLogOff @@ -1464,8 +1581,9 @@ - level1-memberserver - rule_2.3.11.6 - patch + - network -- name: "2.3.11.7 | PATCH | L1 | Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" +- name: "2.3.11.7 | PATCH | Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LMCompatibilityLevel @@ -1478,8 +1596,9 @@ - level1-memberserver - rule_2.3.11.7 - patch + - network -- name: "2.3.11.8 | PATCH | L1 | Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" +- name: "2.3.11.8 | PATCH | Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Ldap name: LDAPClientIntegrity @@ -1492,8 +1611,9 @@ - level1-memberserver - rule_2.3.11.8 - patch + - ladp -- name: "2.3.11.9 | PATCH | L1 | Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" +- name: "2.3.11.9 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinClientSec @@ -1506,8 +1626,9 @@ - level1-memberserver - rule_2.3.11.9 - patch + - ntlm -- name: "2.3.11.10 | PATCH | L1 | Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" +- name: "2.3.11.10 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinServerSec @@ -1520,8 +1641,9 @@ - level1-memberserver - rule_2.3.11.10 - patch + - ntlm -- name: "2.3.13.1 | PATCH | L1 | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" +- name: "2.3.13.1 | PATCH | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ShutdownWithoutLogon @@ -1534,8 +1656,10 @@ - level1-memberserver - rule_2.3.13.1 - patch + - system + - shutdown -- name: "2.3.15.1 | PATCH | L1 | Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" +- name: "2.3.15.1 | PATCH | Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel name: ObCaseInsensitive @@ -1549,7 +1673,7 @@ - rule_2.3.15.1 - patch -- name: "2.3.15.2 | PATCH | L1 | Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" +- name: "2.3.15.2 | PATCH | Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: ProtectionMode @@ -1563,7 +1687,7 @@ - rule_2.3.15.2 - patch -- name: "2.3.17.1 | PATCH | L1 | Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" +- name: "2.3.17.1 | PATCH | Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: FilterAdministratorToken @@ -1576,8 +1700,9 @@ - level1-memberserver - rule_2.3.17.1 - patch + - uac -- name: "2.3.17.2 | PATCH | L1 | Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" +- name: "2.3.17.2 | PATCH | Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ConsentPromptBehaviorAdmin @@ -1590,8 +1715,9 @@ - level1-memberserver - rule_2.3.17.2 - patch + - uac -- name: "2.3.17.3 | PATCH | L1 | Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" +- name: "2.3.17.3 | PATCH | Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ConsentPromptBehaviorUser @@ -1604,8 +1730,9 @@ - level1-memberserver - rule_2.3.17.3 - patch + - uac -- name: "2.3.17.4 | PATCH | L1 | Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" +- name: "2.3.17.4 | PATCH | Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableInstallerDetection @@ -1618,8 +1745,9 @@ - level1-memberserver - rule_2.3.17.4 - patch + - uac -- name: "2.3.17.5 | PATCH | L1 | Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" +- name: "2.3.17.5 | PATCH | Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableSecureUIAPaths @@ -1632,8 +1760,9 @@ - level1-memberserver - rule_2.3.17.5 - patch + - uac -- name: "2.3.17.6 | PATCH | L1 | Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" +- name: "2.3.17.6 | PATCH | Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableLUA @@ -1646,8 +1775,9 @@ - level1-memberserver - rule_2.3.17.6 - patch + - uac -- name: "2.3.17.7 | PATCH | L1 | Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" +- name: "2.3.17.7 | PATCH | Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: PromptOnSecureDesktop @@ -1660,8 +1790,9 @@ - level1-memberserver - rule_2.3.17.7 - patch + - uac -- name: "2.3.17.8 | PATCH | L1 | Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" +- name: "2.3.17.8 | PATCH | Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableVirtualization @@ -1674,3 +1805,4 @@ - level1-memberserver - rule_2.3.17.8 - patch + - uac diff --git a/tasks/section05.yml b/tasks/section05.yml new file mode 100644 index 0000000..4e30849 --- /dev/null +++ b/tasks/section05.yml @@ -0,0 +1,20 @@ +--- + +- name: | + "5.1 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled + 5.2 | PATCH | Ensure 'Print Spooler (Spooler) is set to Disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Spooler + name: Start + data: 4 + type: dword + when: + - rule_5_1 or + rule_5_2 + tags: + - level1-domaincontroller + - level2-domainmember + - rule_5.1 + - rule_5.2 + - patch + - printer diff --git a/tasks/section09.yml b/tasks/section09.yml index 17924c4..5919adc 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,5 +1,6 @@ --- -- name: "9.1.1 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + +- name: "9.1.1 | PATCH | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile name: EnableFirewall @@ -12,8 +13,10 @@ - level1-memberserver - rule_9.1.1 - patch + - firewall + - domain -- name: "9.1.2 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" +- name: "9.1.2 | PATCH | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DefaultInboundAction @@ -26,8 +29,10 @@ - level1-memberserver - rule_9.1.2 - patch + - firewall + - domain -- name: "9.1.3 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" +- name: "9.1.3 | PATCH | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DefaultOutboundAction @@ -40,8 +45,10 @@ - level1-memberserver - rule_9.1.3 - patch + - firewall + - domain -- name: "9.1.4 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" +- name: "9.1.4 | PATCH | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile name: DisableNotifications @@ -54,9 +61,11 @@ - level1-memberserver - rule_9.1.4 - patch + - firewall + - domain # title has slashes switched -- name: "9.1.5 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" +- name: "9.1.5 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogFilePath @@ -69,8 +78,10 @@ - level1-memberserver - rule_9.1.5 - patch + - firewall + - domain -- name: "9.1.6 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.1.6 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogFileSize @@ -83,8 +94,10 @@ - level1-memberserver - rule_9.1.6 - patch + - firewall + - domain -- name: "9.1.7 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.1.7 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogDroppedPackets @@ -97,8 +110,10 @@ - level1-memberserver - rule_9.1.7 - patch + - firewall + - domain -- name: "9.1.8 | PATCH | L1 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" +- name: "9.1.8 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging name: LogSuccessfulConnections @@ -111,8 +126,10 @@ - level1-memberserver - rule_9.1.7 - patch + - firewall + - domain -- name: "9.2.1 | PATCH | L1 | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" +- name: "9.2.1 | PATCH | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: EnableFirewall @@ -125,8 +142,10 @@ - level1-memberserver - rule_9.2.1 - patch + - firewall + - private -- name: "9.2.2 | PATCH | L1 | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" +- name: "9.2.2 | PATCH | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DefaultInboundAction @@ -139,8 +158,10 @@ - level1-memberserver - rule_9.2.2 - patch + - firewall + - private -- name: "9.2.3 | PATCH | L1 | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" +- name: "9.2.3 | PATCH | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DefaultOutboundAction @@ -153,8 +174,10 @@ - level1-memberserver - rule_9.2.3 - patch + - firewall + - private -- name: "9.2.4 | PATCH | L1 | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" +- name: "9.2.4 | PATCH | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile name: DisableNotifications @@ -167,9 +190,11 @@ - level1-memberserver - rule_9.2.4 - patch + - firewall + - private # title has slashes switched -- name: "9.2.5 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" +- name: "9.2.5 | PATCH | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogFilePath @@ -182,8 +207,10 @@ - level1-memberserver - rule_9.2.5 - patch + - firewall + - private -- name: "9.2.6 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.2.6 | PATCH | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogFileSize @@ -196,8 +223,10 @@ - level1-memberserver - rule_9.2.6 - patch + - firewall + - private -- name: "9.2.7 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.2.7 | PATCH | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogDroppedPackets @@ -210,8 +239,10 @@ - level1-memberserver - rule_9.2.7 - patch + - firewall + - private -- name: "9.2.8 | PATCH | L1 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" +- name: "9.2.8 | PATCH | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging name: LogSuccessfulConnections @@ -224,8 +255,10 @@ - level1-memberserver - rule_9.2.8 - patch + - firewall + - private -- name: "9.3.1 | PATCH | L1 | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" +- name: "9.3.1 | PATCH | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: EnableFirewall @@ -238,8 +271,10 @@ - level1-memberserver - rule_9.3.1 - patch + - firewall + - public -- name: "9.3.2 | PATCH | L1 | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" +- name: "9.3.2 | PATCH | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DefaultInboundAction @@ -252,8 +287,10 @@ - level1-memberserver - rule_9.3.2 - patch + - firewall + - public -- name: "9.3.3 | PATCH | L1 | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" +- name: "9.3.3 | PATCH | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DefaultOutboundAction @@ -266,8 +303,10 @@ - level1-memberserver - rule_9.3.3 - patch + - firewall + - public -- name: "9.3.4 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" +- name: "9.3.4 | PATCH | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: DisableNotifications @@ -280,8 +319,10 @@ - level1-memberserver - rule_9.3.4 - patch + - firewall + - public -- name: "9.3.5 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" +- name: "9.3.5 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: AllowLocalPolicyMerge @@ -295,8 +336,10 @@ - level1-memberserver - rule_9.3.5 - patch + - firewall + - public -- name: "9.3.6 | PATCH | L1 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" +- name: "9.3.6 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile name: AllowLocalIPsecPolicyMerge @@ -309,9 +352,11 @@ - level1-memberserver - rule_9.3.6 - patch + - firewall + - public # title has slashes switched -- name: "9.3.7 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" +- name: "9.3.7 | PATCH | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFilePath @@ -324,8 +369,10 @@ - level1-memberserver - rule_9.3.7 - patch + - firewall + - public -- name: "9.3.8 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" +- name: "9.3.8 | PATCH | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFileSize @@ -338,8 +385,10 @@ - level1-memberserver - rule_9.3.8 - patch + - firewall + - public -- name: "9.3.9 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" +- name: "9.3.9 | PATCH | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogDroppedPackets @@ -352,8 +401,10 @@ - level1-memberserver - rule_9.3.9 - patch + - firewall + - public -- name: "9.3.10 | PATCH | L1 | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" +- name: "9.3.10 | PATCH | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogSuccessfulConnections @@ -366,3 +417,5 @@ - level1-memberserver - rule_9.3.10 - patch + - firewall + - public diff --git a/tasks/section17.yml b/tasks/section17.yml index bbc2e93..1285ad3 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,19 +1,20 @@ --- -- name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure" + +- name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure" block: - - name: "17.1.1 | AUDIT | L1 | Ensure Audit Credential Validation is set to Success and Failure" + - name: "17.1.1 | AUDIT | Ensure Audit Credential Validation is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_1_1_audit changed_when: false failed_when: false check_mode: false - - name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Success" + - name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable when: "'Success' not in rule_17_1_1_audit.stdout" changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - name: "17.1.1 | PATCH | L1 | Ensure Audit Credential Validation is set to Success and Failure | Failure" + - name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable when: "'Failure' not in rule_17_1_1_audit.stdout" changed_when: "'Failure' not in rule_17_1_1_audit.stdout" @@ -25,20 +26,20 @@ - rule_17.1.1 - patch -- name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" +- name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" block: - - name: "17.1.2 | AUDIT | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | AUDIT | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_1_2_audit - - name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable when: "'Success' not in rule_17_1_2_audit.stdout" - - name: "17.1.2 | PATCH | L1 | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" + - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable when: "'Failure' not in rule_17_1_2_audit.stdout" when: @@ -49,20 +50,20 @@ - rule_17.1.2 - patch -- name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" +- name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" block: - - name: "17.1.3 | AUDIT | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | AUDIT | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_1_3_audit - - name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable when: "'Success' not in rule_17_1_3_audit.stdout" - - name: "17.1.3 | PATCH | L1 | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + - name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable when: "'Failure' not in rule_17_1_3_audit.stdout" when: @@ -73,20 +74,20 @@ - rule_17.1.2 - patch -- name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure" +- name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure" block: - - name: "17.2.1 | AUDIT | L1 | Ensure Audit Application Group Management is set to Success and Failure" + - name: "17.2.1 | AUDIT | Ensure Audit Application Group Management is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_1_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Success" + - name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable when: "'Success' not in rule_17_2_1_audit.stdout" - - name: "17.2.1 | PATCH | L1 | Ensure Audit Application Group Management is set to Success and Failure | Failure" + - name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" when: @@ -97,16 +98,16 @@ - rule_17.2.1 - patch -- name: "17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" +- name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only" block: - - name: "17.2.2 | AUDIT | L1 | Ensure Audit Computer Account Management is set to include Success DC only" + - name: "17.2.2 | AUDIT | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_2_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.2 | PATCH | L1 | Ensure Audit Computer Account Management is set to include Success DC only" + - name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable changed_when: "'Success' not in rule_17_2_2_audit.stdout" when: "'Success' not in rule_17_2_2_audit.stdout" @@ -118,16 +119,16 @@ - rule_17.2.2 - patch -- name: "17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" +- name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only" block: - - name: "17.2.3 | AUDIT | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" + - name: "17.2.3 | AUDIT | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_3_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.3 | PATCH | L1 | Ensure Audit Distribution Group Management is set to include Success DC only" + - name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable when: "'Success' not in rule_17_2_3_audit.stdout" when: @@ -138,16 +139,16 @@ - rule_17.2.3 - patch -- name: "17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" +- name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only" block: - - name: "17.2.4 | AUDIT | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" + - name: "17.2.4 | AUDIT | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_4_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.4 | PATCH | L1 | Ensure Audit Other Account Management Events is set to include Success DC only" + - name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in rule_17_2_4_audit.stdout" when: @@ -158,16 +159,16 @@ - rule_17.2.4 - patch -- name: "17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" +- name: "17.2.5 | AUDIT | Ensure Audit Security Group Management is set to include Success" block: - - name: "17.2.5 | AUDIT | L1 | Ensure Audit Security Group Management is set to include Success" + - name: "17.2.5 | AUDIT | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_5_audit changed_when: false failed_when: false check_mode: false - - name: "17.2.5 | PATCH | L1 | Ensure Audit Security Group Management is set to include Success" + - name: "17.2.5 | PATCH | Ensure Audit Security Group Management is set to include Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_5_audit.stdout" when: @@ -178,20 +179,20 @@ - rule_17.2.5 - patch -- name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure" +- name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure" block: - - name: "17.2.6 | AUDIT | L1 | Ensure Audit User Account Management is set to Success and Failure" + - name: "17.2.6 | AUDIT | Ensure Audit User Account Management is set to Success and Failure" win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_2_6_audit - - name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Success" + - name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable when: "'Success' not in rule_17_2_6_audit.stdout" - - name: "17.2.6 | PATCH | L1 | Ensure Audit User Account Management is set to Success and Failure | Failure" + - name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in rule_17_2_6_audit.stdout" when: @@ -202,16 +203,16 @@ - rule_17.2.6 - patch -- name: "17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" +- name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success" block: - - name: "17.3.1 | AUDIT | L1 | Ensure Audit PNP Activity is set to include Success" + - name: "17.3.1 | AUDIT | Ensure Audit PNP Activity is set to include Success" win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_3_1_audit - - name: "17.3.1 | PATCH | L1 | Ensure Audit PNP Activity is set to include Success" + - name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success" win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable when: "'Success' not in rule_17_3_1_audit.stdout" when: @@ -222,16 +223,16 @@ - rule_17.3.1 - patch -- name: "17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" +- name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success" block: - - name: "17.3.2 | AUDIT | L1 | Ensure Audit Process Creation is set to include Success" + - name: "17.3.2 | AUDIT | Ensure Audit Process Creation is set to include Success" win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_3_2_audit - - name: "17.3.2 | PATCH | L1 | Ensure Audit Process Creation is set to include Success" + - name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success" win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable when: "'Success' not in rule_17_3_2_audit.stdout" when: @@ -242,16 +243,16 @@ - rule_17.3.2 - patch -- name: "17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" +- name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only" block: - - name: "17.4.1 | AUDIT | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" + - name: "17.4.1 | AUDIT | Ensure Audit Directory Service Access is set to include Failure DC only" win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_4_1_audit - - name: "17.4.1 | PATCH | L1 | Ensure Audit Directory Service Access is set to include Failure DC only" + - name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only" win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable when: "'Success' not in rule_17_4_1_audit.stdout" when: @@ -261,16 +262,16 @@ - rule_17.4.1 - patch -- name: "17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" +- name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only" block: - - name: "17.4.2 | AUDIT | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" + - name: "17.4.2 | AUDIT | Ensure Audit Directory Service Changes is set to include Success DC only" win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_4_2_audit - - name: "17.4.2 | PATCH | L1 | Ensure Audit Directory Service Changes is set to include Success DC only" + - name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only" win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in rule_17_4_2_audit.stdout" when: @@ -280,16 +281,16 @@ - rule_17.4.2 - patch -- name: "17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" +- name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure" block: - - name: "17.5.1 | AUDIT | L1 | Ensure Audit Account Lockout is set to include Failure" + - name: "17.5.1 | AUDIT | Ensure Audit Account Lockout is set to include Failure" win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_1_audit - - name: "17.5.1 | PATCH | L1 | Ensure Audit Account Lockout is set to include Failure" + - name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure" win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable when: "'Failure' not in rule_17_5_1_audit.stdout" when: @@ -300,16 +301,16 @@ - rule_17.5.1 - patch -- name: "17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" +- name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success" block: - - name: "17.5.2 | AUDIT | L1 | Ensure Audit Group Membership is set to include Success" + - name: "17.5.2 | AUDIT | Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_2_audit - - name: "17.5.2 | PATCH | L1 | Ensure Audit Group Membership is set to include Success" + - name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success" win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable when: "'Success' not in rule_17_5_2_audit.stdout" when: @@ -320,16 +321,16 @@ - rule_17.5.2 - patch -- name: "17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" +- name: "17.5.3 | AUDIT | Ensure Audit Logoff is set to include Success" block: - - name: "17.5.3 | AUDIT | L1 | Ensure Audit Logoff is set to include Success" + - name: "17.5.3 | AUDIT | Ensure Audit Logoff is set to include Success" win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_3_audit - - name: "17.5.3 | PATCH | L1 | Ensure Audit Logoff is set to include Success" + - name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success" win_shell: AuditPol /set /subcategory:"Logoff" /success:enable when: "'Success' not in rule_17_5_3_audit.stdout" when: @@ -340,20 +341,20 @@ - rule_17.5.3 - patch -- name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure" +- name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure" block: - - name: "17.5.4 | AUDIT | L1 | Ensure Audit Logon is set to Success and Failure" + - name: "17.5.4 | AUDIT | Ensure Audit Logon is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_4_audit - - name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success" + - name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Logon" /success:enable when: "'Success' not in rule_17_5_4_audit.stdout" - - name: "17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Failure" + - name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Logon" /failure:enable when: "'Failure' not in rule_17_5_4_audit.stdout" when: @@ -364,20 +365,20 @@ - rule_17.5.4 - patch -- name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" +- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure" block: - - name: "17.5.5 | AUDIT | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure" + - name: "17.5.5 | AUDIT | Ensure Audit Other LogonLogoff Events is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_5_audit - - name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + - name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable when: "'Success' not in rule_17_5_5_audit.stdout" - - name: "17.5.5 | PATCH | L1 | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + - name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable when: "'Failure' not in rule_17_5_5_audit.stdout" when: @@ -388,16 +389,16 @@ - rule_17.5.5 - patch -- name: "17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" +- name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success" block: - - name: "17.5.6 | AUDIT | L1 | Ensure Audit Special Logon is set to include Success" + - name: "17.5.6 | AUDIT | Ensure Audit Special Logon is set to include Success" win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_5_6_audit - - name: "17.5.6 | PATCH | L1 | Ensure Audit Special Logon is set to include Success" + - name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success" win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable when: "'Success' not in rule_17_5_6_audit.stdout" when: @@ -408,16 +409,16 @@ - rule_17.5.6 - patch -- name: "17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" +- name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure" block: - - name: "17.6.1 | AUDIT | L1 | Ensure Audit Detailed File Share is set to include Failure" + - name: "17.6.1 | AUDIT | Ensure Audit Detailed File Share is set to include Failure" win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_1_audit - - name: "17.6.1 | PATCH | L1 | Ensure Audit Detailed File Share is set to include Failure" + - name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure" win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable when: "'Failure' not in rule_17_6_1_audit.stdout" when: @@ -428,20 +429,20 @@ - rule_17.6.1 - patch -- name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" +- name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure" block: - - name: "17.6.2 | AUDIT | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | AUDIT | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_2_audit - - name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /success:enable when: "'Success' not in rule_17_6_2_audit.stdout" - - name: "17.6.2 | PATCH | L1 | Ensure Audit File Share is set to Success and Failure" + - name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /failure:enable when: "'Failure' not in rule_17_6_2_audit.stdout" when: @@ -452,7 +453,7 @@ - rule_17.6.2 - patch -- name: "17.6.3 | PATCH | L1 | Ensure Audit Other Object Access Events is set to Success and Failure" +- name: "17.6.3 | PATCH | Ensure Audit Other Object Access Events is set to Success and Failure" win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure @@ -464,20 +465,20 @@ - rule_17.6.3 - patch -- name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" +- name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure" block: - - name: "17.6.4 | AUDIT | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | AUDIT | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_6_4_audit - - name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in rule_17_6_4_audit.stdout" - - name: "17.6.4 | PATCH | L1 | Ensure Audit Removable Storage is set to Success and Failure" + - name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure" win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable when: "'Failure' not in rule_17_6_4_audit.stdout" when: @@ -488,16 +489,16 @@ - rule_17.6.4 - patch -- name: "17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" +- name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success" block: - - name: "17.7.1 | AUDIT | L1 | Ensure Audit Audit Policy Change is set to include Success" + - name: "17.7.1 | AUDIT | Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_1_audit - - name: "17.7.1 | PATCH | L1 | Ensure Audit Audit Policy Change is set to include Success" + - name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable when: "'Success' not in rule_17_7_1_audit.stdout" when: @@ -508,16 +509,16 @@ - rule_17.7.1 - patch -- name: "17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" +- name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success" block: - - name: "17.7.2 | AUDIT | L1 | Ensure Audit Authentication Policy Change is set to include Success" + - name: "17.7.2 | AUDIT | Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_2_audit - - name: "17.7.2 | PATCH | L1 | Ensure Audit Authentication Policy Change is set to include Success" + - name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable when: "'Success' not in rule_17_7_2_audit.stdout" when: @@ -528,16 +529,16 @@ - rule_17.7.2 - patch -- name: "17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" +- name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success" block: - - name: "17.7.3 | AUDIT | L1 | Ensure Audit Authorization Policy Change is set to include Success" + - name: "17.7.3 | AUDIT | Ensure Audit Authorization Policy Change is set to include Success" win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_3_audit - - name: "17.7.3 | PATCH | L1 | Ensure Audit Authorization Policy Change is set to include Success" + - name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success" win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable when: "'Success' not in rule_17_7_3_audit.stdout" when: @@ -548,20 +549,20 @@ - rule_17.7.3 - patch -- name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" +- name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" block: - - name: "17.7.4 | AUDIT | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" + - name: "17.7.4 | AUDIT | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_4_audit - - name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" + - name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable when: "'Success' not in rule_17_7_4_audit.stdout" - - name: "17.7.4 | PATCH | L1 | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" + - name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable when: "'Failure' not in rule_17_7_4_audit.stdout" when: @@ -572,16 +573,16 @@ - rule_17.7.4 - patch -- name: "17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" +- name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure" block: - - name: "17.7.5 | AUDIT | L1 | Ensure Audit Other Policy Change Events is set to include Failure" + - name: "17.7.5 | AUDIT | Ensure Audit Other Policy Change Events is set to include Failure" win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_7_5_audit - - name: "17.7.5 | PATCH | L1 | Ensure Audit Other Policy Change Events is set to include Failure" + - name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure" win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable when: "'Failure' not in rule_17_7_5_audit.stdout" when: @@ -592,20 +593,20 @@ - rule_17.7.5 - patch -- name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" +- name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure" block: - - name: "17.8.1 | AUDIT | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure" + - name: "17.8.1 | AUDIT | Ensure Audit Sensitive Privilege Use is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_8_1_audit - - name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + - name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable when: "'Success' not in rule_17_8_1_audit.stdout" - - name: "17.8.1 | PATCH | L1 | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + - name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable when: "'Failure' not in rule_17_8_1_audit.stdout" when: @@ -616,20 +617,20 @@ - rule_17.8.1 - patch -- name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure" +- name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure" block: - - name: "17.9.1 | AUDIT | L1 | Ensure Audit IPsec Driver is set to Success and Failure" + - name: "17.9.1 | AUDIT | Ensure Audit IPsec Driver is set to Success and Failure" win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_1_audit - - name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Success" + - name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable when: "'Success' not in rule_17_9_1_audit.stdout" - - name: "17.9.1 | PATCH | L1 | Ensure Audit IPsec Driver is set to Success and Failure | Failure" + - name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable when: "'Failure' not in rule_17_9_1_audit.stdout" when: @@ -640,20 +641,20 @@ - rule_17.9.1 - patch -- name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure" +- name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure" block: - - name: "17.9.2 | AUDIT | L1 | Ensure Audit Other System Events is set to Success and Failure" + - name: "17.9.2 | AUDIT | Ensure Audit Other System Events is set to Success and Failure" win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_2_audit - - name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Success" + - name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable when: "'Success' not in rule_17_9_2_audit.stdout" - - name: "17.9.2 | PATCH | L1 | Ensure Audit Other System Events is set to Success and Failure | Failure" + - name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable when: "'Failure' not in rule_17_9_2_audit.stdout" when: @@ -664,16 +665,16 @@ - rule_17.9.2 - patch -- name: "17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" +- name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success" block: - - name: "17.9.3 | AUDIT | L1 | Ensure Audit Security State Change is set to include Success" + - name: "17.9.3 | AUDIT | Ensure Audit Security State Change is set to include Success" win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_3_audit - - name: "17.9.3 | PATCH | L1 | Ensure Audit Security State Change is set to include Success" + - name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success" win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable when: "'Success' not in rule_17_9_3_audit.stdout" when: @@ -684,16 +685,16 @@ - rule_17.9.3 - patch -- name: "17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" +- name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success" block: - - name: "17.9.4 | AUDIT | L1 | Ensure Audit Security System Extension is set to include Success" + - name: "17.9.4 | AUDIT | Ensure Audit Security System Extension is set to include Success" win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_4_audit - - name: "17.9.4 | PATCH | L1 | Ensure Audit Security System Extension is set to include Success" + - name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success" win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable when: "'Success' not in rule_17_9_4_audit.stdout" when: @@ -704,21 +705,21 @@ - rule_17.9.4 - patch -- name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure" +- name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure" block: - - name: "17.9.5 | AUDIT | L1 | Ensure Audit System Integrity is set to Success and Failure" + - name: "17.9.5 | AUDIT | Ensure Audit System Integrity is set to Success and Failure" win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: rule_17_9_5_audit - - name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Success" + - name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable changed_when: "'Success' not in rule_17_9_5_audit.stdout" when: "'Success' not in rule_17_9_5_audit.stdout" - - name: "17.9.5 | PATCH | L1 | Ensure Audit System Integrity is set to Success and Failure | Failure" + - name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Failure" win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable changed_when: "'Failure' not in rule_17_9_5_audit.stdout" when: "'Failure' not in rule_17_9_5_audit.stdout" diff --git a/tasks/section18.yml b/tasks/section18.yml index fe60d04..18d3946 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,5 +1,6 @@ --- -- name: "18.1.1.1 | PATCH | L1 | Ensure Prevent enabling lock screen camera is set to Enabled" + +- name: "18.1.1.1 | PATCH | Ensure Prevent enabling lock screen camera is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenCamera @@ -12,8 +13,9 @@ - level1-memberserver - rule_18.1.1.1 - patch + - camera -- name: "18.1.1.2 | PATCH | L1 | Ensure Prevent enabling lock screen slide show is set to Enabled" +- name: "18.1.1.2 | PATCH | Ensure Prevent enabling lock screen slide show is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenSlideshow @@ -26,8 +28,9 @@ - level1-memberserver - rule_18.1.1.2 - patch + - lockscreen -- name: "18.1.2.2 | PATCH | L1 | Ensure Allow users to enable online speech recognition services is set to Disabled" +- name: "18.1.2.2 | PATCH | Ensure Allow users to enable online speech recognition services is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\InputPersonalization name: "AllowInputPersonalization" @@ -40,8 +43,9 @@ - level1-memberserver - rule_18.1.2.2 - patch + - onlinespeech -- name: "18.1.3 | PATCH | L2 | Ensure Allow Online Tips is set to Disabled" +- name: "18.1.3 | PATCH | Ensure Allow Online Tips is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer name: AllowOnlineTips @@ -54,8 +58,9 @@ - level2-memberserver - rule_18.1.3 - patch + - onlinetips -- name: "18.2.1 | PATCH | L1 | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" +- name: "18.2.1 | PATCH | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} name: DllName @@ -68,8 +73,10 @@ - level1-memberserver - rule_18.2.1 - patch + - laps + - gpo -- name: "18.2.2 | PATCH | L1 | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" +- name: "18.2.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PwdExpirationProtectionEnabled @@ -82,8 +89,9 @@ - level1-memberserver - rule_18.2.2 - patch + - accounts -- name: "18.2.3 | PATCH | L1 | Ensure Enable Local Admin Password Management is set to Enabled MS only" +- name: "18.2.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: AdmPwdEnabled @@ -96,8 +104,10 @@ - level1-memberserver - rule_18.2.3 - patch + - accounts + - admin -- name: "18.2.4 | PATCH | L1 | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" +- name: "18.2.4 | PATCH | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordComplexity @@ -105,13 +115,14 @@ type: dword when: - rule_18_2_4 - - ansible_windows_domain_role == "Member Server" + - ansible_windows_domain_role != "Member Server" tags: - level1-memberserver - rule_18.2.4 - patch + - accounts -- name: "18.2.5 | PATCH | L1 | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" +- name: "18.2.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordLength @@ -124,8 +135,9 @@ - level1-memberserver - rule_18.2.5 - patch + - accounts -- name: "18.2.6 | PATCH | L1 | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" +- name: "18.2.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordAgeDays @@ -138,8 +150,9 @@ - level1-memberserver - rule_18.2.6 - patch + - accounts -- name: "18.3.1 | PATCH | L1 | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" +- name: "18.3.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LocalAccountTokenFilterPolicy @@ -152,8 +165,9 @@ - level1-memberserver - rule_18.3.1 - patch + - uac -- name: "18.3.2 | PATCH | L1 | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" +- name: "18.3.2 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 name: Start @@ -166,8 +180,9 @@ - level1-memberserver - rule_18.3.2 - patch + - smb -- name: "18.3.3 | PATCH | L1 | Ensure Configure SMB v1 server is set to Disabled" +- name: "18.3.3 | PATCH | Ensure Configure SMB v1 server is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -182,8 +197,9 @@ - level1-memberserver - rule_18.3.3 - patch + - smb -- name: "18.3.4 | PATCH | L1 | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +- name: "18.3.4 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation @@ -197,8 +213,25 @@ - level1-memberserver - rule_18.3.4 - patch + - sehop -- name: "18.3.5 | PATCH | L1 | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" +- name: "18.3.5 | PATCH | Ensure Limits print driver installation to Administrators is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: RestrictDriverInstallationToAdministrators + data: 1 + type: dword + when: + - rule_18_3_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.3.5 + - patch + - printers + - drivers + +- name: "18.3.6 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters state: present @@ -206,14 +239,15 @@ data: "{{ netbt_nodetype }}" datatype: dword when: - - rule_18_3_5 + - rule_18_3_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.5 + - rule_18.3.6 - patch + - netbt -- name: "18.3.6 | PATCH | L1 | Ensure WDigest Authentication is set to Disabled" +- name: "18.3.7 | PATCH | Ensure WDigest Authentication is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present @@ -221,16 +255,17 @@ data: 0 datatype: dword when: - - rule_18_3_6 + - rule_18_3_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.6 + - rule_18.3.7 - patch + - wdigest ## 18.4.x -- name: "18.4.1 | PATCH | L1 | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" +- name: "18.4.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon state: present @@ -244,8 +279,10 @@ - level1-memberserver - rule_18.4.1 - patch + - mss + - logon -- name: "18.4.2 | PATCH | L1 | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.4.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters state: present @@ -259,8 +296,10 @@ - level1-memberserver - rule_18.4.2 - patch + - mss + - iprouting -- name: "18.4.3 | PATCH | L1 | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.4.3 | PATCH | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -274,8 +313,10 @@ - level1-memberserver - rule_18.4.3 - patch + - mss + - iprouting -- name: "18.4.4 | PATCH | L1 | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" +- name: "18.4.4 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -289,8 +330,10 @@ - level1-memberserver - rule_18.4.4 - patch + - mss + - icmps -- name: "18.4.5 | PATCH | L2 | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" +- name: "18.4.5 | PATCH | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -304,8 +347,10 @@ - level2-memberserver - rule_18.4.5 - patch + - mss + - keepalive -- name: "18.4.6 | PATCH | L1 | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" +- name: "18.4.6 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters state: present @@ -319,8 +364,10 @@ - level1-memberserver - rule_18.4.6 - patch + - mss + - noname -- name: "18.4.7 | PATCH | L2 | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" +- name: "18.4.7 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters state: present @@ -334,8 +381,9 @@ - level2-memberserver - rule_18.4.7 - patch + - mss -- name: "18.4.8 | PATCH | L1 | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" +- name: "18.4.8 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: SafeDllSearchMode @@ -349,8 +397,9 @@ - level1-memberserver - rule_18.4.8 - patch + - mss -- name: "18.4.9 | PATCH | L1 | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" +- name: "18.4.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ScreenSaverGracePeriod @@ -364,8 +413,9 @@ - level1-memberserver - rule_18.4.9 - patch + - mss -- name: "18.4.10 | PATCH | L2 | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.4.10 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters name: TcpMaxDataRetransmissions @@ -378,8 +428,9 @@ - level2-memberserver - rule_18.4.10 - patch + - mss -- name: "18.4.11 | PATCH | L2 | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.4.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters name: TcpMaxDataRetransmissions @@ -392,8 +443,9 @@ - level2-memberserver - rule_18.4.11 - patch + - mss -- name: "18.4.12 | PATCH | L1 | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" +- name: "18.4.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security name: WarningLevel @@ -406,26 +458,42 @@ - level1-memberserver - rule_18.4.12 - patch - + - mss # 18.5.4.x -- name: "18.5.4.1 | PATCH | L1 | Ensure Turn off multicast name resolution is set to Enabled MS Only" +- name: "18.5.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient + name: DoHPolicy + data: 2 + type: dword + when: + - rule_18_5_4_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.4.1 + - patch + - dns + +- name: "18.5.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast data: 0 type: dword when: - - rule_18_5_4_1 + - rule_18_5_4_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.4.1 + - rule_18.5.4.2 - patch + - dns -- name: "18.5.5.1 | PATCH | L2 | Ensure Enable Font Providers is set to Disabled" +- name: "18.5.5.1 | PATCH | Ensure Enable Font Providers is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableFontProviders @@ -438,8 +506,9 @@ - level2-memberserver - rule_18.5.5.1 - patch + - dns -- name: "18.5.8.1 | PATCH | L1 | Ensure Enable insecure guest logons is set to Disabled" +- name: "18.5.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation name: AllowInsecureGuestAuth @@ -452,31 +521,32 @@ - level1-memberserver - rule_18.5.8.1 - patch + - fonts -- name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" +- name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" block: - - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOndomain data: 0 type: dword - - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOnPublicNet data: 0 type: dword - - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableLLTDIO data: 0 type: dword - - name: "18.5.9.1 | PATCH | L2 | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitLLTDIOOnPrivateNet @@ -489,31 +559,33 @@ - level2-memberserver - rule_18.5.9.1 - patch + - mapper + - drivers -- name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled" +- name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled" block: - - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnDomain data: 0 type: dword - - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnPublicNet data: 0 type: dword - - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableRspndr data: 0 type: dword - - name: "18.5.9.2 | PATCH | L2 | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitRspndrOnPrivateNet @@ -526,8 +598,10 @@ - level2-memberserver - rule_18.5.9.2 - patch + - rspndr + - driver -- name: "18.5.10.2 | PATCH | L2 | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" +- name: "18.5.10.2 | PATCH | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Peernet name: Disabled @@ -540,8 +614,9 @@ - level2-memberserver - rule_18.5.10.2 - patch + - p2p -- name: "18.5.11.2 | PATCH | L1 | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" +- name: "18.5.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_AllowNetBridge_NLA @@ -554,8 +629,9 @@ - level1-memberserver - rule_18.5.11.2 - patch + - networkconnections -- name: "18.5.11.3 | PATCH | L1 | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" +- name: "18.5.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections name: NC_ShowSharedAccessUI @@ -568,8 +644,9 @@ - level1-memberserver - rule_18.5.11.3 - patch + - networkconnections -- name: "18.5.11.4 | PATCH | L1 | Ensure Require domain users to elevate when setting a networks location is set to Enabled" +- name: "18.5.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_StdDomainUserSetLocation @@ -582,17 +659,18 @@ - level1-memberserver - rule_18.5.11.4 - patch + - networkconnections -- name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" +- name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" block: - - name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\NETLOGON" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - - name: "18.5.14.1 | PATCH | L1 | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\SYSVOL" @@ -605,8 +683,10 @@ - level1-memberserver - rule_18.5.14.1 - patch + - paths + - unc -- name: "18.5.19.2.1 | PATCH | L2 | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" +- name: "18.5.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" win_regedit: path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters name: DisabledComponents @@ -619,38 +699,39 @@ - level2-memberserver - rule_18.5.19.2.1 - patch + - ipv6 -- name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" +- name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" block: - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: EnableRegistrars data: 0 type: dword - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableUPnPRegistrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableInBand802DOT11Registrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableFlashConfigRegistrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | L2 | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableWPDRegistrar @@ -663,8 +744,9 @@ - level2-memberserver - rule_18.5.20.1 - patch + - wireless -- name: "18.5.20.2 | PATCH | L2 | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" +- name: "18.5.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui name: DisableWcnUi @@ -677,8 +759,9 @@ - level2-memberserver - rule_18.5.20.2 - patch + - connectnow -- name: "18.5.21.1 | PATCH | L1 | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" +- name: "18.5.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fMinimizeConnections @@ -691,8 +774,9 @@ - level1-memberserver - rule_18.5.21.1 - patch + - gpo -- name: "18.5.21.2 | PATCH | L2 | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" +- name: "18.5.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fBlockNonDomain @@ -705,8 +789,54 @@ - level2-memberserver - rule_18.5.21.2 - patch + - gpo -- name: "18.7.1.1 | PATCH | L2 | Ensure Turn off notifications network usage is set to Enabled" +- name: "18.6.1 | PATCH | Ensure Allow Print Spooler to accept client connections is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers + name: RegisterSpoolerRemoteRpcEndPoint + data: 2 + type: dword + when: + - rule_18_6_1 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.6.1 + - patch + - printers + +- name: "18.6.2 | PATCH | Ensure Point and Print Restrictions: When installing drivers for a new connection is set to Enabled: Show warning and elevation prompt" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: NoWarningNoElevationOnInstall + data: 0 + type: dword + when: + - rule_18_6_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.6.2 + - patch + - printers + +- name: "18.6.3 | PATCH | Ensure Point and Print Restrictions: When updating drivers for an existing connection is set to Enabled: Show warning and elevation prompt" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: UpdatePromptSettings + data: 0 + type: dword + when: + - rule_18_6_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.6.3 + - patch + - printers + +- name: "18.7.1.1 | PATCH | Ensure Turn off notifications network usage is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications name: NoCloudApplicationNotification @@ -719,8 +849,9 @@ - level2-memberserver - rule_18.7.1.1 - patch + - notifications -- name: "18.8.3.1 | PATCH | L1 | Ensure Include command line in process creation events is set to Disabled" +- name: "18.8.3.1 | PATCH | Ensure Include command line in process creation events is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit name: ProcessCreationIncludeCmdLine_Enabled @@ -734,7 +865,7 @@ - rule_18.8.3.1 - patch -- name: "18.8.4.1 | PATCH | L1 | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" +- name: "18.8.4.1 | PATCH | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters name: AllowEncryptionOracle @@ -747,8 +878,9 @@ - level1-memberserver - rule_18.8.4.1 - patch + - encryption_oracle -- name: "18.8.4.2 | PATCH | L1 | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" +- name: "18.8.4.2 | PATCH | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation name: AllowProtectedCreds @@ -761,6 +893,7 @@ - level1-memberserver - rule_18.8.4.2 - patch + - credentialsdelecation - name: "18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" win_regedit: @@ -775,6 +908,7 @@ - ngws-memberserver - rule_18.8.5.1 - patch + - vbs - name: "18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" win_regedit: @@ -789,6 +923,7 @@ - ngws-memberserver - rule_18.8.5.2 - patch + - vbs - name: "18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" win_regedit: @@ -803,6 +938,7 @@ - ngws-memberserver - rule_18.8.5.3 - patch + - vbs - name: "18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" win_regedit: @@ -817,6 +953,7 @@ - ngws-memberserver - rule_18.8.5.4 - patch + - vbs - name: "18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" win_regedit: @@ -831,6 +968,7 @@ - ngws-memberserver - rule_18.8.5.5 - patch + - vbs - name: "18.8.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only" win_regedit: @@ -845,6 +983,7 @@ - ngws-domaincontroller - rule_18.8.5.6 - patch + - vbs - name: "18.8.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" win_regedit: @@ -859,8 +998,24 @@ - ngws-memberserver - rule_18.8.5.7 - patch + - vbs + +- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata + name: PreventDeviceMetadataFromNetwork + data: 1 + type: dword + when: + - rule_18_8_7_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.7.2 + - patch + - metadata -- name: "18.8.14.1 | PATCH | L1 | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" +- name: "18.8.14.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" win_regedit: path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch name: DriverLoadPolicy @@ -873,8 +1028,9 @@ - level1-memberserver - rule_18.8.14.1 - patch + - drivers -- name: "18.8.21.2 | PATCH | L1 | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" +- name: "18.8.21.2 | PATCH | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoBackgroundPolicy @@ -887,8 +1043,9 @@ - level1-memberserver - rule_18.8.21.2 - patch + - gpo -- name: "18.8.21.3 | PATCH | L1 | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" +- name: "18.8.21.3 | PATCH | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoGPOListChanges @@ -901,8 +1058,9 @@ - level1-memberserver - rule_18.8.21.3 - patch + - gpo -- name: "18.8.21.4 | PATCH | L1 | Ensure Continue experiences on this device is set to Disabled" +- name: "18.8.21.4 | PATCH | Ensure Continue experiences on this device is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableCdp @@ -916,11 +1074,11 @@ - rule_18.8.21.4 - patch -- name: "18.8.21.5 | PATCH | L1 | Ensure Turn off background refresh of Group Policy is set to Disabled" +- name: "18.8.21.5 | PATCH | Ensure Turn off background refresh of Group Policy is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy state: absent - delete_key: yes + delete_key: false when: - rule_18_8_21_5 tags: @@ -928,8 +1086,9 @@ - level1-memberserver - rule_18.8.21.5 - patch + - gpo -- name: "18.8.22.1.1 | PATCH | L1 | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" +- name: "18.8.22.1.1 | PATCH | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableWebPnPDownload @@ -942,8 +1101,10 @@ - level1-memberserver - rule_18.8.22.1.1 - patch + - drivers + - printers -- name: "18.8.22.1.2 | PATCH | L2 | Ensure Turn off handwriting personalization data sharing is set to Enabled" +- name: "18.8.22.1.2 | PATCH | Ensure Turn off handwriting personalization data sharing is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc name: PreventHandwritingDataSharing @@ -956,8 +1117,9 @@ - level2-memberserver - rule_18.8.22.1.2 - patch + - handwriting -- name: "18.8.22.1.3 | PATCH | L2 | Ensure Turn off handwriting recognition error reporting is set to Enabled" +- name: "18.8.22.1.3 | PATCH | Ensure Turn off handwriting recognition error reporting is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports name: PreventHandwritingErrorReports @@ -970,8 +1132,9 @@ - level2-memberserver - rule_18.8.22.1.3 - patch + - handwriting -- name: "18.8.22.1.4 | PATCH | L2 | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.8.22.1.4 | PATCH | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard name: ExitOnMSICW @@ -984,8 +1147,10 @@ - level2-memberserver - rule_18.8.22.1.4 - patch + - wizard + - internetconnectionwizard -- name: "18.8.22.1.5 | PATCH | L1 | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" +- name: "18.8.22.1.5 | PATCH | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoWebServices @@ -998,8 +1163,10 @@ - level1-memberserver - rule_18.8.22.1.5 - patch + - wizard + - internetdownloadwizard -- name: "18.8.22.1.6 | PATCH | L2 | Ensure Turn off printing over HTTP is set to Enabled" +- name: "18.8.22.1.6 | PATCH | Ensure Turn off printing over HTTP is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableHTTPPrinting @@ -1012,8 +1179,9 @@ - level2-memberserver - rule_18.8.22.1.6 - patch + - printers -- name: "18.8.22.1.7 | PATCH | L2 | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.8.22.1.7 | PATCH | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control name: NoRegistration @@ -1026,8 +1194,10 @@ - level2-memberserver - rule_18.8.22.1.7 - patch + - wizard + - registration -- name: "SCORED | 18.8.22.1.8 | PATCH | L2 | Ensure Turn off Search Companion content file updates is set to Enabled" +- name: "18.8.22.1.8 | PATCH | Ensure Turn off Search Companion content file updates is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Searchcompanion name: DisableContentFileUpdates @@ -1040,8 +1210,9 @@ - level2-memberserver - rule_18.8.22.1.8 - patch + - search -- name: "18.8.22.1.9 | PATCH | L2 | Ensure Turn off the Order Prints picture task is set to Enabled" +- name: "18.8.22.1.9 | PATCH | Ensure Turn off the Order Prints picture task is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoOnlinePrintsWizard @@ -1054,8 +1225,9 @@ - level2-memberserver - rule_18.8.22.1.9 - patch + - printers -- name: "18.8.22.1.10 | PATCH | L2 | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" +- name: "18.8.22.1.10 | PATCH | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoPublishingWizard @@ -1068,8 +1240,9 @@ - level2-memberserver - rule_18.8.22.1.10 - patch + - wizard -- name: "18.8.22.1.11 | PATCH | L2 | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" +- name: "18.8.22.1.11 | PATCH | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Messenger\Client name: CEIP @@ -1082,8 +1255,9 @@ - level2-memberserver - rule_18.8.22.1.11 - patch + - wmcei -- name: "18.8.22.1.12 | PATCH | L2 | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" +- name: "18.8.22.1.12 | PATCH | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows name: CEIPEnable @@ -1096,17 +1270,18 @@ - level2-memberserver - rule_18.8.22.1.12 - patch + - wmcei -- name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled" +- name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled" block: - - name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + - name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting name: Disabled data: 1 type: dword - - name: "18.8.22.1.13 | PATCH | L2 | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + - name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting name: DoReport @@ -1119,17 +1294,18 @@ - level2-memberserver - rule_18.8.22.1.13 - patch + - errorreporting -- name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic" +- name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic" block: - - name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + - name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitBehavior data: 0 type: dword - - name: "18.8.25.1 | PATCH | L2 | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + - name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitEnabled @@ -1142,8 +1318,9 @@ - level2-memberserver - rule_18.8.25.1 - patch + - certifcates -- name: "18.8.26.1 | PATCH | L1 | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" +- name: "18.8.26.1 | PATCH | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Kernel DMA Protection name: DeviceEnumerationPolicy @@ -1156,8 +1333,9 @@ - level1-memberserver - rule_18.8.26.1 - patch + - dma -- name: "18.8.27.1 | PATCH | L2 | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" +- name: "18.8.27.1 | PATCH | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Control Panel\International name: BlockUserInputMethodsForSignIn @@ -1171,7 +1349,7 @@ - rule_18.8.27.1 - patch -- name: "18.8.28.1 | PATCH | L1 | Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "18.8.28.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin @@ -1184,8 +1362,9 @@ - level1-memberserver - rule_18.8.28.1 - patch + - accounts -- name: "18.8.28.2 | PATCH | L1 | Ensure Do not display network selection UI is set to Enabled" +- name: "18.8.28.2 | PATCH | Ensure Do not display network selection UI is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontDisplayNetworkSelectionUI @@ -1199,7 +1378,7 @@ - rule_18.8.28.2 - patch -- name: "18.8.28.3 | PATCH | L1 | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" +- name: "18.8.28.3 | PATCH | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontEnumerateConnectedUsers @@ -1212,8 +1391,9 @@ - level1-memberserver - rule_18.8.28.3 - patch + - enumerate -- name: "18.8.28.4 | PATCH | L1 | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" +- name: "18.8.28.4 | PATCH | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnumerateLocalUsers @@ -1225,8 +1405,9 @@ - level1-memberserver - rule_18.8.28.4 - patch + - enumerate -- name: "18.8.28.5 | PATCH | L1 | Ensure Turn off app notifications on the lock screen is set to Enabled" +- name: "18.8.28.5 | PATCH | Ensure Turn off app notifications on the lock screen is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DisableLockScreenAppNotifications @@ -1239,8 +1420,9 @@ - level1-memberserver - rule_18.8.28.5 - patch + - notifications -- name: "18.8.28.6 | PATCH | L1 | Ensure Turn off picture password sign-in is set to Enabled" +- name: "18.8.28.6 | PATCH | Ensure Turn off picture password sign-in is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockDomainPicturePassword @@ -1253,8 +1435,9 @@ - level1-memberserver - rule_18.8.28.6 - patch + - logon -- name: "18.8.28.7 | PATCH | L1 | Ensure Turn on convenience PIN sign-in is set to Disabled" +- name: "18.8.28.7 | PATCH | Ensure Turn on convenience PIN sign-in is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowDomainPINLogon @@ -1267,8 +1450,9 @@ - level1-memberserver - rule_18.8.28.7 - patch + - pin -- name: "18.8.31.1 | PATCH | L2 | Ensure Allow Clipboard synchronization across devices is set to Disabled" +- name: "18.8.31.1 | PATCH | Ensure Allow Clipboard synchronization across devices is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowCrossDeviceClipboard @@ -1281,8 +1465,9 @@ - level2-memberserver - rule_18.8.31.1 - patch + - clipboard -- name: "18.8.31.2 | PATCH | L2 | Ensure Allow upload of User Activities is set to Disabled" +- name: "18.8.31.2 | PATCH | Ensure Allow upload of User Activities is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: UploadUserActivities @@ -1296,7 +1481,7 @@ - rule_18.8.31.2 - patch -- name: "18.8.34.6.1 | PATCH | L2 | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" +- name: "18.8.34.6.1 | PATCH | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: DCSettingIndex @@ -1309,8 +1494,9 @@ - level2-memberserver - rule_18.8.34.6.1 - patch + - power -- name: "18.8.34.6.2 | PATCH | L2 | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" +- name: "18.8.34.6.2 | PATCH | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: ACSettingIndex @@ -1323,8 +1509,9 @@ - level2-memberserver - rule_18.8.34.6.2 - patch + - power -- name: "18.8.34.6.3 | PATCH | L1 | Ensure Require a password when a computer wakes on battery is set to Enabled" +- name: "18.8.34.6.3 | PATCH | Ensure Require a password when a computer wakes on battery is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: DCSettingIndex @@ -1337,8 +1524,10 @@ - level1-memberserver - rule_18.8.34.6.3 - patch + - power + - logon -- name: "18.8.34.6.4 | PATCH | L1 | Ensure Require a password when a computer wakes plugged in is set to Enabled" +- name: "18.8.34.6.4 | PATCH | Ensure Require a password when a computer wakes plugged in is set to Enabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: ACSettingIndex @@ -1351,8 +1540,9 @@ - level1-memberserver - rule_18.8.34.6.4 - patch + - logon -- name: "18.8.36.1 | PATCH | L1 | Ensure Configure Offer Remote Assistance is set to Disabled" +- name: "18.8.36.1 | PATCH | Ensure Configure Offer Remote Assistance is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowUnsolicited @@ -1365,8 +1555,9 @@ - level1-memberserver - rule_18.8.36.1 - patch + - cora -- name: "18.8.36.2 | PATCH | L1 | Ensure Configure Solicited Remote Assistance is set to Disabled" +- name: "18.8.36.2 | PATCH | Ensure Configure Solicited Remote Assistance is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowToGetHelp @@ -1379,8 +1570,9 @@ - level1-memberserver - rule_18.8.36.2 - patch + - csra -- name: "18.8.37.1 | PATCH | L1 | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" +- name: "18.8.37.1 | PATCH | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: EnableAuthEpResolution @@ -1393,8 +1585,9 @@ - level1-memberserver - rule_18.8.37.1 - patch + - rpc -- name: "18.8.37.2 | PATCH | L2 | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" +- name: "18.8.37.2 | PATCH | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: RestrictRemoteClients @@ -1407,8 +1600,24 @@ - level2-memberserver - rule_18.8.37.2 - patch + - rpc + +- name: "18.8.40.1 | PATCH | Ensure Configure validation of ROCA-vulnerable WHfB keys during authentication is set to Enabled: Audit or higher" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM + name: SamNGCKeyROCAValidation + data: 1 + type: dword + when: + - rule_18_8_40_1 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_18.8.40.1 + - patch + - sam -- name: "18.8.47.5.1 | PATCH | L2 | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +- name: "18.8.47.5.1 | PATCH | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer @@ -1421,8 +1630,9 @@ - level2-memberserver - rule_18.8.47.5.1 - patch + - msdt -- name: "18.8.47.11.1 | PATCH | L2 | Ensure EnableDisable PerfTrack is set to Disabled" +- name: "18.8.47.11.1 | PATCH | Ensure EnableDisable PerfTrack is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled @@ -1435,8 +1645,9 @@ - level2-memberserver - rule_18.8.47.11.1 - patch + - pertrack -- name: "18.8.49.1 | PATCH | L2 | Ensure Turn off the advertising ID is set to Enabled" +- name: "18.8.49.1 | PATCH | Ensure Turn off the advertising ID is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy @@ -1449,8 +1660,9 @@ - level2-memberserver - rule_18.8.49.1 - patch + - advertising -- name: "18.8.52.1.1 | PATCH | L2 | Ensure Enable Windows NTP Client is set to Enabled" +- name: "18.8.52.1.1 | PATCH | Ensure Enable Windows NTP Client is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled @@ -1463,8 +1675,9 @@ - level2-memberserver - rule_18.8.52.1.1 - patch + - ntp -- name: "18.8.52.1.2 | PATCH | L2 | Ensure Enable Windows NTP Server is set to Disabled MS only" +- name: "18.8.52.1.2 | PATCH | Ensure Enable Windows NTP Server is set to Disabled MS only" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled @@ -1477,8 +1690,9 @@ - level2-memberserver - rule_18.8.52.1.2 - patch + - ntp -- name: "18.9.4.1 | PATCH | L2 | Ensure Allow a Windows app to share application data between users is set to Disabled" +- name: "18.9.4.1 | PATCH | Ensure Allow a Windows app to share application data between users is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager name: AllowSharedLocalAppData @@ -1491,8 +1705,9 @@ - level2-memberserver - rule_18.9.4.1 - patch + - data -- name: "18.9.6.1 | PATCH | L1 | Ensure Allow Microsoft accounts to be optional is set to Enabled" +- name: "18.9.6.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: MSAOptional @@ -1505,8 +1720,9 @@ - level1-memberserver - rule_18.9.6.1 - patch + - accounts -- name: "18.9.8.1 | PATCH | L1 | Ensure Disallow Autoplay for non-volume devices is set to Enabled" +- name: "18.9.8.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoAutoplayfornonVolume @@ -1519,8 +1735,9 @@ - level1-memberserver - rule_18.9.8.1 - patch + - autoplay -- name: "18.9.8.2 | PATCH | L1 | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" +- name: "18.9.8.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoAutorun @@ -1533,8 +1750,9 @@ - level1-memberserver - rule_18.9.8.2 - patch + - autorun -- name: "18.9.8.3 | PATCH | L1 | Ensure Turn off Autoplay is set to Enabled All drives" +- name: "18.9.8.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoDriveTypeAutoRun @@ -1547,8 +1765,9 @@ - level1-memberserver - rule_18.9.8.3 - patch + - autoplay -- name: "18.9.10.1.1 | PATCH | L1 | Ensure Configure enhanced anti-spoofing is set to Enabled" +- name: "18.9.10.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures name: EnhancedAntiSpoofing @@ -1561,8 +1780,9 @@ - level1-memberserver - rule_18.9.10.1.1 - patch + - antispoofing -- name: "18.9.12.1 | PATCH | L2 | Ensure Allow Use of Camera is set to Disabled" +- name: "18.9.12.1 | PATCH | Ensure Allow Use of Camera is set to Disabled" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Camera name: AllowCamera @@ -1575,134 +1795,259 @@ - level2-memberserver - rule_18.9.12.1 - patch + - camera -- name: "18.9.13.1 | PATCH | L2 | Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.9.14.1 | PATCH | Ensure Turn off cloud consumer account state content is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableCloudOptimizedContent + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableConsumerAccountStateContent data: 1 type: dword when: - - rule_18_9_13_1 + - rule_18_9_14_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.13.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.14.1 - patch + - cloud -- name: "18.9.13.2 | PATCH | L1 | Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.9.14.2 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent name: DisableWindowsConsumerFeatures data: 1 type: dword when: - - rule_18_9_13_2 + - rule_18_9_14_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.13.2 + - rule_18.9.14.2 - patch + - cloud -- name: "18.9.14.1 | PATCH | L1 | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" +- name: "18.9.15.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect name: RequirePinForPairing data: 1 type: dword when: - - rule_18_9_14_1 + - rule_18_9_15_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.14.1 + - rule_18.9.15.1 - patch + - pin -- name: "18.9.15.1 | PATCH | L1 | Ensure Do not display the password reveal button is set to Enabled" +- name: "18.9.16.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Credui name: DisablePasswordReveal data: 1 type: dword when: - - rule_18_9_15_1 + - rule_18_9_16_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.15.1 + - rule_18.9.16.1 - patch + - gui -- name: "18.9.15.2 | PATCH | L1 | Ensure Enumerate administrator accounts on elevation is set to Disabled" +- name: "18.9.16.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui name: EnumerateAdministrators data: 0 type: dword when: - - rule_18_9_15_2 + - rule_18_9_16_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.15.2 + - rule_18.9.16.2 - patch + - accounts -- name: "18.9.16.1 | PATCH | L1 | Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" +- name: "18.9.17.1 | PATCH | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: AllowTelemetry - data: 0 + data: 1 type: dword when: - - rule_18_9_16_1 + - rule_18_9_17_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.1 + - rule_18.9.17.1 - patch + - diagnostrics -- name: "18.9.16.2 | PATCH | L2 | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +- name: "18.9.17.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\Software\Policies\Microsoft\Windows\DataCollection name: DisableEnterpriseAuthProxy data: 0 type: dword when: - - rule_18_9_16_2 + - rule_18_9_17_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.16.2 + - rule_18.9.17.2 + - patch + - datacollection + +- name: "18.9.17.3 | PATCH | Ensure Disable OneSettings Downloads is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: DisableOneSettingsDownloads + data: 1 + type: dword + when: + - rule_18_9_17_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.17.3 - patch + - onesettings -- name: "18.9.16.3 | PATCH | L1 | Ensure Do not show feedback notifications is set to Enabled" +- name: "18.9.17.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: DoNotShowFeedbackNotifications data: 1 type: dword when: - - rule_18_9_16_3 + - rule_18_9_17_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.3 + - rule_18.9.17.4 - patch + - datacollection -- name: "18.9.16.4 | PATCH | L1 | Ensure Toggle user control over Insider builds is set to Disabled" +- name: "18.9.17.5 | PATCH | Ensure Enable OneSettings Auditing' is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds - name: AllowBuildPreview - data: 0 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: EnableOneSettingsAuditing + data: 1 type: dword when: - - rule_18_9_16_4 + - rule_18_9_17_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.4 + - rule_18.9.17.5 - patch + - datacollection -- name: "18.9.26.1.1 | PATCH | L1 | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.17.6 | PATCH | Ensure Limit Diagnostic Log Collection is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: LimitDiagnosticLogCollection + data: 1 + type: dword + when: + - rule_18_9_17_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.17.6 + - patch + - datacollection + +- name: "18.9.17.7 | PATCH | Ensure Limit Dump Collection is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: LimitDumpCollection + data: 1 + type: dword + when: + - rule_18_9_17_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.17.7 + - patch + - datacollection + +- name: "18.9.17.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + name: AllowBuildPreview + data: 0 + type: dword + when: + - rule_18_9_17_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.17.8 + - patch + +# - name: "18.9.16.1 | PATCH | Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: AllowTelemetry +# data: 0 +# type: dword +# when: +# - rule_18_9_16_1 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.16.1 +# - patch + +# - name: "18.9.16.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: DisableEnterpriseAuthProxy +# data: 0 +# type: dword +# when: +# - rule_18_9_16_2 +# tags: +# - level2-domaincontroller +# - level2-memberserver +# - rule_18.9.16.2 +# - patch + +# - name: "18.9.16.3 | PATCH | Ensure Do not show feedback notifications is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: DoNotShowFeedbackNotifications +# data: 1 +# type: dword +# when: +# - rule_18_9_16_3 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.16.3 +# - patch + +# - name: "18.9.16.4 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds +# name: AllowBuildPreview +# data: 0 +# type: dword +# when: +# - rule_18_9_16_4 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.16.4 +# - patch + +- name: "18.9.26.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application name: Retention @@ -1715,8 +2060,9 @@ - level1-memberserver - rule_18.9.26.1.1 - patch + - eventlog -- name: "18.9.26.1.2 | PATCH | L1 | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application name: MaxSize @@ -1729,8 +2075,9 @@ - level1-memberserver - rule_18.9.26.1.2 - patch + - eventlog -- name: "18.9.26.2.1 | PATCH | L1 | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: Retention @@ -1743,8 +2090,9 @@ - level1-memberserver - rule_18.9.26.2.1 - patch + - eventlog -- name: "18.9.26.2.2 | PATCH | L1 | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" +- name: "18.9.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: MaxSize @@ -1757,8 +2105,9 @@ - level1-memberserver - rule_18.9.26.2.2 - patch + - eventlog -- name: "18.9.26.3.1 | PATCH | L1 | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: Retention @@ -1771,8 +2120,9 @@ - level1-memberserver - rule_18.9.26.3.1 - patch + - eventlog -- name: "18.9.26.3.2 | PATCH | L1 | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: MaxSize @@ -1785,8 +2135,9 @@ - level1-memberserver - rule_18.9.26.3.2 - patch + - eventlog -- name: "18.9.26.4.1 | PATCH | L1 | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.9.26.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: Retention @@ -1799,8 +2150,9 @@ - level1-memberserver - rule_18.9.26.4.1 - patch + - eventlog -- name: "18.9.26.4.2 | PATCH | L1 | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.9.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: MaxSize @@ -1813,8 +2165,9 @@ - level1-memberserver - rule_18.9.26.4.2 - patch + - eventlog -- name: "18.9.30.2 | PATCH | L1 | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" +- name: "18.9.30.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoDataExecutionPrevention @@ -1827,8 +2180,9 @@ - level1-memberserver - rule_18.9.30.2 - patch + - dep -- name: "18.9.30.3 | PATCH | L1 | Ensure Turn off heap termination on corruption is set to Disabled" +- name: "18.9.30.3 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoHeapTerminationOnCorruption @@ -1841,8 +2195,9 @@ - level1-memberserver - rule_18.9.30.3 - patch + - heap -- name: "18.9.30.4 | PATCH | L1 | Ensure Turn off shell protocol protected mode is set to Disabled" +- name: "18.9.30.4 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: PreXPSP2ShellProtocolBehavior @@ -1855,8 +2210,9 @@ - level1-memberserver - rule_18.9.30.4 - patch + - shell -- name: "18.9.39.1 | PATCH | L2 | Ensure Turn off location is set to Enabled" +- name: "18.9.39.1 | PATCH | Ensure Turn off location is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors name: DisableLocation @@ -1869,8 +2225,9 @@ - level2-memberserver - rule_18.9.39.1 - patch + - location -- name: "18.9.43.1 | PATCH | L2 | Ensure Allow Message Service Cloud Sync is set to Disabled" +- name: "18.9.43.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Messaging name: AllowMessageSync @@ -1883,8 +2240,9 @@ - level2-memberserver - rule_18.9.43.1 - patch + - msc -- name: "18.9.44.1 | PATCH | L1 | Ensure Block all consumer Microsoft account user authentication is set to Enabled" +- name: "18.9.44.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount name: DisableUserAuth @@ -1897,8 +2255,9 @@ - level1-memberserver - rule_18.9.44.1 - patch + - account -- name: "18.9.45.3.1 | PATCH | L1 | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" +- name: "18.9.45.3.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: LocalSettingOverrideSpynetReporting @@ -1911,8 +2270,9 @@ - level1-memberserver - rule_18.9.45.3.1 - patch + - maps -- name: "18.9.45.3.2 | PATCH | L2 | Ensure Join Microsoft MAPS is set to Disabled" +- name: "18.9.45.3.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: SpynetReporting @@ -1925,6 +2285,7 @@ - level2-memberserver - rule_18.9.45.3.2 - patch + - maps - name: "18.9.45.5.1 | PATCH | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'" win_regedit: @@ -1939,36 +2300,23 @@ - level2-memberserver - rule_18.9.45.5.1 - patch + - defender -- name: "18.9.45.8.1 | PATCH | (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableIOAVProtection - data: 0 - type: dword - when: - - rule_18_9_45_8_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.45.8.1 - - patch - -- name: "18.9.45.8.3 | PATCH | L1 | Ensure Turn on behavior monitoring is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 - type: dword - when: - - rule_18_9_45_8_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.45.8.3 - - patch +# - name: "18.9.45.8.1 | PATCH | (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection +# name: DisableIOAVProtection +# data: 0 +# type: dword +# when: +# - rule_18_9_45_8_1 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.45.8.1 +# - patch -- name: "18.9.45.4.1.1 | PATCH | L1 | Ensure Configure Attack Surface Reduction rules is set to Enabled" +- name: "18.9.45.4.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR name: ExploitGuard_ASR_Rules @@ -1981,8 +2329,9 @@ - level1-memberserver - rule_18.9.45.4.1.1 - patch + - defender -- name: "18.9.45.4.1.2 | PATCH | L1 | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" +- name: "18.9.45.4.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules name: "{{ item }}" @@ -2008,8 +2357,9 @@ - level1-memberserver - rule_18.9.45.4.1.2 - patch + - defender -- name: "18.9.45.4.3.1 | PATCH | L1 | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" +- name: "18.9.45.4.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection name: EnableNetworkProtection @@ -2022,22 +2372,9 @@ - level1-memberserver - rule_18.9.45.4.3.1 - patch + - defender -- name: "18.9.45.8.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableRealtimeMonitoring - data: 1 - datatype: dword - when: - - rule_18_9_45_8_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.45.8.2 - - patch - -- name: "18.9.45.10.1 | PATCH | L2 | Ensure Configure Watson events is set to Disabled" +- name: "18.9.45.10.1 | PATCH | Ensure Configure Watson events is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting name: DisableGenericRePorts @@ -2050,8 +2387,9 @@ - level2-memberserver - rule_18.9.77.9.1 - patch + - defender -- name: "18.9.45.11.1 | PATCH | L1 | Ensure Scan removable drives is set to Enabled" +- name: "18.9.45.11.1 | PATCH | Ensure Scan removable drives is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableRemovableDriveScanning @@ -2064,8 +2402,9 @@ - level1-memberserver - rule_18.9.45.11.1 - patch + - defender -- name: "18.9.45.11.2 | PATCH | L1 | Ensure Turn on e-mail scanning is set to Enabled" +- name: "18.9.45.11.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableEmailScanning @@ -2078,8 +2417,9 @@ - level1-memberserver - rule_18.9.45.11.2 - patch + - defender -- name: "18.9.45.14 | PATCH | L1 | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" +- name: "18.9.45.14 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: PUAProtection @@ -2092,8 +2432,9 @@ - level1-memberserver - rule_18.9.45.14 - patch + - defender -- name: "18.9.45.15 | PATCH | L1 | Ensure Turn off Windows Defender AntiVirus is set to Disabled" +- name: "18.9.45.15 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: DisableAntiSpyware @@ -2106,8 +2447,73 @@ - level1-memberserver - rule_18.9.45.15 - patch + - defender + +- name: "18.9.47.9.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableIOAVProtection + data: 0 + type: dword + when: + - rule_18_9_47_9_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.47.9.1 + - patch + - defender + - real_time_protection -- name: "18.9.55.1 | PATCH | L1 | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" +- name: "18.9.47.9.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableRealtimeMonitoring + data: 1 + datatype: dword + when: + - rule_18_9_47_9_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.47.9.2 + - patch + - defender + - real_time_protection + +- name: "18.9.47.9.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword + when: + - rule_18_9_47_9_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.47.9.3 + - patch + - defender + - real_time_protection + +- name: "18.9.47.9.4 | PATCH | Ensure 'Turn on script scanning' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableScriptScanning + data: 0 + type: dword + when: + - rule_18_9_47_9_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.47.9.4 + - patch + - defender + - real_time_protection + +- name: "18.9.55.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive name: DisableFileSyncNGSC @@ -2120,8 +2526,9 @@ - level1-memberserver - rule_18.9.55.1 - patch + - onedrive -- name: "18.9.62.2.2 | PATCH | L1 | Ensure Do not allow passwords to be saved is set to Enabled" +- name: "18.9.62.2.2 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DisablePasswordSaving @@ -2134,8 +2541,9 @@ - level1-memberserver - rule_18.9.62.2.2 - patch + - terminalservices -- name: "18.9.62.3.2.1 | PATCH | L2 | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" +- name: "18.9.62.3.2.1 | PATCH | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fSingleSessionPerUser @@ -2148,8 +2556,9 @@ - level2-memberserver - rule_18.9.62.3.2.1 - patch + - terminalservices -- name: "18.9.62.3.3.1 | PATCH | L2 | Ensure Do not allow COM port redirection is set to Enabled" +- name: "18.9.62.3.3.1 | PATCH | Ensure Do not allow COM port redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCcm @@ -2162,8 +2571,9 @@ - level2-memberserver - rule_18.9.62.3.3.1 - patch + - terminalservices -- name: "18.9.62.3.3.2 | PATCH | L1 | Ensure Do not allow drive redirection is set to Enabled" +- name: "18.9.62.3.3.2 | PATCH | Ensure Do not allow drive redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCdm @@ -2176,8 +2586,9 @@ - level1-memberserver - rule_18.9.62.3.3.2 - patch + - terminalservices -- name: "18.9.62.3.3.3 | PATCH | L2 | Ensure Do not allow LPT port redirection is set to Enabled" +- name: "18.9.62.3.3.3 | PATCH | Ensure Do not allow LPT port redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableLPT @@ -2190,8 +2601,9 @@ - level2-memberserver - rule_18.9.62.3.3.3 - patch + - terminalservices -- name: "18.9.62.3.3.4 | PATCH | L2 | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" +- name: "18.9.62.3.3.4 | PATCH | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisablePNPRedir @@ -2204,8 +2616,9 @@ - level2-memberserver - rule_18.9.62.3.3.4 - patch + - terminalservicess -- name: "18.9.62.3.9.1 | PATCH | L1 | Ensure Always prompt for password upon connection is set to Enabled" +- name: "18.9.62.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fPromptForPassword @@ -2218,8 +2631,9 @@ - level1-memberserver - rule_18.9.62.3.9.1 - patch + - terminalservices -- name: "18.9.62.3.9.2 | PATCH | L1 | Ensure Require secure RPC communication is set to Enabled" +- name: "18.9.62.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fEncryptRPCTraffic @@ -2232,8 +2646,9 @@ - level1-memberserver - rule_18.9.59.3.9.2 - patch + - terminalservices -- name: "18.9.62.3.9.3 | PATCH | L1 | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" +- name: "18.9.62.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: SecurityLayer @@ -2246,8 +2661,9 @@ - level1-memberserver - rule_18.9.62.3.9.3 - patch + - terminalservices -- name: "18.9.62.3.9.4 | PATCH | L1 | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" +- name: "18.9.62.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: UserAuthentication @@ -2260,8 +2676,9 @@ - level1-memberserver - rule_18.9.62.3.9.4 - patch + - terminalservices -- name: "18.9.62.3.9.5 | PATCH | L1 | Ensure Set client connection encryption level is set to Enabled High Level" +- name: "18.9.62.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MinEncryptionLevel @@ -2274,8 +2691,9 @@ - level1-memberserver - rule_18.9.62.3.9.5 - patch + - terminalservices -- name: "18.9.62.3.10.1 | PATCH | L2 | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" +- name: "18.9.62.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxIdleTime @@ -2288,8 +2706,9 @@ - level2-memberserver - rule_18.9.62.3.10.1 - patch + - terminalservices -- name: "18.9.62.3.10.2 | PATCH | L2 | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" +- name: "18.9.62.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxDisconnectionTime @@ -2302,8 +2721,9 @@ - level2-memberserver - rule_18.9.62.3.10.2 - patch + - terminalservices -- name: "18.9.62.3.11.1 | PATCH | L1 | Ensure Do not delete temp folders upon exit is set to Disabled" +- name: "18.9.62.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DeleteTempDirsOnExit @@ -2316,8 +2736,9 @@ - level1-memberserver - rule_18.9.59.3.11.1 - patch + - terminalservices -- name: "18.9.62.3.11.2 | PATCH | L1 | Ensure Do not use temporary folders per session is set to Disabled" +- name: "18.9.62.3.11.2 | PATCH | Ensure Do not use temporary folders per session is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: PerSessionTempDir @@ -2330,8 +2751,9 @@ - level1-memberserver - rule_18.9.62.3.11.2 - patch + - terminalservices -- name: "18.9.63.1 | PATCH | L1 | Ensure Prevent downloading of enclosures is set to Enabled" +- name: "18.9.63.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds name: DisableEnclosureDownload @@ -2344,8 +2766,9 @@ - level1-memberserver - rule_18.9.63.1 - patch + - enclosure -- name: "18.9.64.2 | PATCH | L2 | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" +- name: "18.9.64.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowCloudSearch @@ -2358,8 +2781,10 @@ - level2-memberserver - rule_18.9.64.2 - patch + - search + - cloud -- name: "18.9.64.3 | PATCH | L1 | Ensure Allow indexing of encrypted files is set to Disabled" +- name: "18.9.64.3 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowIndexingEncryptedStoresOrItems @@ -2372,8 +2797,10 @@ - level1-memberserver - rule_18.9.64.3 - patch + - search + - encrypted -- name: "18.9.69.1 | PATCH | L2 | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" +- name: "18.9.69.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform name: NoGenTicket @@ -2386,17 +2813,18 @@ - level2-memberserver - rule_18.9.66.1 - patch + - kms -- name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" +- name: "18.9.80.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" block: - - name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + - name: "18.9.80.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnableSmartScreen data: 1 type: dword - - name: "18.9.80.1.1 | PATCH | L1 | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + - name: "18.9.80.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel @@ -2409,8 +2837,9 @@ - level1-memberserver - rule_18.9.80.1.1 - patch + - defender -- name: "18.9.84.1 | PATCH | L2 | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" +- name: "18.9.84.1 | PATCH | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace name: AllowSuggestedAppsInWindowsInkWorkspace @@ -2423,8 +2852,9 @@ - level2-memberserver - rule_18.9.84.1 - patch + - wik -- name: "18.9.84.2 | PATCH | L1 | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" +- name: "18.9.84.2 | PATCH | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace name: AllowWindowsInkWorkspace @@ -2437,8 +2867,9 @@ - level1-memberserver - rule_18.9.84.2 - patch + - wik -- name: "18.9.85.1 | PATCH | L1 | Ensure Allow user control over installs is set to Disabled" +- name: "18.9.85.1 | PATCH | Ensure Allow user control over installs is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: EnableUserControl @@ -2452,7 +2883,7 @@ - rule_18.9.85.1 - patch -- name: "18.9.85.2 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" +- name: "18.9.85.2 | PATCH | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated @@ -2466,7 +2897,7 @@ - rule_18.9.85.2 - patch -- name: "18.9.85.3 | PATCH | L2 | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" +- name: "18.9.85.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: SafeForScripting @@ -2479,8 +2910,9 @@ - level2-memberserver - rule_18.9.85.3 - patch + - ie -- name: "18.9.86.1 | PATCH | L1 | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" +- name: "18.9.86.1 | PATCH | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableAutomaticRestartSignOn @@ -2493,36 +2925,23 @@ - level1-memberserver - rule_18.9.86.1 - patch + - logon -- name: "18.9.95.1 | PATCH | L1 | Ensure Turn on PowerShell Script Block Logging is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging - name: EnableScriptBlockLogging - data: 0 - type: dword - when: - - rule_18_9_95_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.1 - - patch - -- name: "18.9.95.2 | PATCH | L1 | Ensure Turn on PowerShell Transcription is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription - name: EnableTranscripting - data: 0 - type: dword - when: - - rule_18_9_95_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.2 - - patch +# - name: "18.9.95.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging +# name: EnableScriptBlockLogging +# data: 0 +# type: dword +# when: +# - rule_18_9_95_1 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_18.9.95.1 +# - patch -- name: "18.9.97.1.1 | PATCH | L1 | Ensure Allow Basic authentication is set to Disabled" +- name: "18.9.97.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowBasic @@ -2536,8 +2955,9 @@ - level1-memberserver - rule_18.9.97.1.1 - patch + - winrm -- name: "18.9.97.1.2 | PATCH | L1 | Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.9.97.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowUnencryptedTraffic @@ -2551,8 +2971,9 @@ - level1-memberserver - rule_18.9.97.1.2 - patch + - winrm -- name: "18.9.97.1.3 | PATCH | L1 | Ensure Disallow Digest authentication is set to Enabled" +- name: "18.9.97.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowDigest @@ -2565,8 +2986,9 @@ - level1-memberserver - rule_18.9.97.1.3 - patch + - winrm -- name: "18.9.97.2.1 | PATCH | L1 | Ensure Allow Basic authentication is set to Disabled" +- name: "18.9.97.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowBasic @@ -2580,9 +3002,10 @@ - level1-memberserver - rule_18.9.97.2.1 - patch + - winrm # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "18.9.97.2.2 | PATCH | L2 | Ensure Allow remote server management through WinRM is set to Disabled" +- name: "18.9.97.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig @@ -2596,8 +3019,9 @@ - level2-memberserver - rule_18.9.97.2.2 - patch + - winrm -- name: "18.9.97.2.3 | PATCH | L1 | Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.9.97.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowUnencryptedTraffic @@ -2611,8 +3035,10 @@ - level1-memberserver - rule_18.9.97.2.3 - patch + - winrm + - encryption -- name: "18.9.97.2.4 | PATCH | L1 | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" +- name: "18.9.97.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: DisableRunAs @@ -2625,13 +3051,14 @@ - level1-memberserver - rule_18.9.97.2.4 - patch + - winrm # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "18.9.98.1 | PATCH | L2 | Ensure Allow Remote Shell Access is set to Disabled" +- name: "18.9.98.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess - data: 1 + data: 0 type: dword when: - rule_18_9_98_1 @@ -2641,8 +3068,9 @@ - level2-memberserver - rule_18.9.98.1 - patch + - winrm -- name: "18.9.99.2.1 | PATCH | L1 | Ensure Prevent users from modifying settings is set to Enabled" +- name: "18.9.99.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection name: DisallowExploitProtectionOverride @@ -2655,121 +3083,158 @@ - level1-memberserver - rule_18.9.99.2.1 - patch + - accounts + +- name: "19.9.100.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging + name: EnableScriptBlockLogging + data: 1 + type: dword + when: + - rule_18_9_100_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.100.1 + - patch + - powershell -- name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "18.9.100.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + name: EnableTranscripting + data: 0 + type: dword + when: + - rule_18_9_100_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.100.2 + - patch + - powershell + +- name: "18.9.108.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoRebootWithLoggedOnUsers + data: 0 + type: dword + when: + - rule_18_9_108_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.108.1.1 + - patch + - winupdate + +- name: "18.9.108.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoUpdate + data: 0 + type: dword + when: + - rule_18_9_108_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.108.2.1 + - patch + - winupdate + +- name: "18.9.108.2.2 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: ScheduledInstallDay + data: 0 + type: dword + when: + - rule_18_9_108_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.108.2.2 + - patch + - winupdate + +- name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" block: - - name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuilds data: 1 type: dword - - name: "18.9.102.1.1 | PATCH | L1 | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue data: 0 type: dword when: - - rule_18_9_102_1_1 + - rule_18_9_108_4_1 tags: - level1-domaincontroller - level1-memberserver - rule_18.9.102.1.1 - patch + - winupdate -- name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" +- name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'" block: - - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdates data: 1 type: dword - - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays data: 180 type: dword - - name: "18.9.102.1.2 | PATCH | L1 | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + - name: "18.9.108.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | BranchReadinessLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: BranchReadinessLevel data: 16 type: dword when: - - rule_18_9_102_1_2 + - rule_18_9_108_4_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.2 + - rule_18.9.108.4.2 - patch + - winupdate -- name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days" +- name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days" block: - - name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + - name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdates data: 1 type: dword - - name: "18.9.102.1.3 | PATCH | L1 | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + - name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays data: 0 type: dword when: - - rule_18_9_102_1_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.3 - - patch - -- name: "18.9.102.2 | PATCH | L1 | Ensure Configure Automatic Updates is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 - type: dword - when: - - rule_18_9_102_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.2 - - patch - -- name: "18.9.102.3 | PATCH | L1 | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: ScheduledInstallDay - data: 0 - type: dword - when: - - rule_18_9_102_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.3 - - patch - -- name: "18.9.102.4 | PATCH | L1 | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoRebootWithLoggedOnUsers - data: 0 - type: dword - when: - - rule_18_9_102_4 + - rule_18_9_108_4_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.4 + - rule_18.9.108.4.3 - patch + - winupdate diff --git a/tasks/section19.yml b/tasks/section19.yml index ec36eee..5600eb8 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,14 +1,15 @@ --- -- name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" + +- name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" block: - - name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" + - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive data: 1 type: string - - name: "19.1.3.1 | PATCH | L1 | Ensure Enable screen saver is set to Enabled" + - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive @@ -21,21 +22,22 @@ - level1-memberserver - rule_19.1.3.1 - patch + - screensaver -- name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" +- name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" block: - - name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr + name: ScreenSaverIsSecure + data: 1 type: string - - name: "19.1.3.2 | PATCH | L1 | Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr + name: ScreenSaverIsSecure + data: 1 type: string when: - rule_19_1_3_2 @@ -44,17 +46,18 @@ - level1-memberserver - rule_19.1.3.2 - patch + - screensaver -- name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" +- name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: - - name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" + - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string - - name: "19.1.3.3 | PATCH | L1 | Ensure Password protect the screen saver is set to Enabled" + - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure @@ -67,40 +70,41 @@ - level1-memberserver - rule_19.1.3.3 - patch + - screensaver -- name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - block: - - name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string +# - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +# block: +# - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +# win_regedit: +# path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop +# name: ScreenSaveTimeOut +# data: 900 +# type: string - - name: "19.1.3.4 | PATCH | L1 | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string - when: - - rule_19_1_3_4 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.4 - - patch +# - name: "19.1.3.4 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +# win_regedit: +# path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop +# name: ScreenSaveTimeOut +# data: 900 +# type: string +# when: +# - rule_19_1_3_4 +# tags: +# - level1-domaincontroller +# - level1-memberserver +# - rule_19.1.3.4 +# - patch -- name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" +- name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" block: - - name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" + - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword - - name: "19.5.1.1 | PATCH | L1 | Ensure Turn off toast notifications on the lock screen is set to Enabled" + - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen @@ -113,17 +117,18 @@ - level1-memberserver - rule_19.5.1.1 - patch + - toast -- name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" +- name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" block: - - name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" + - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - - name: "19.6.6.1.1 | PATCH | L2 | Ensure Turn off Help Experience Improvement Program is set to Enabled" + - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback @@ -136,17 +141,18 @@ - level2-memberserver - rule_19.6.6.1.1 - patch + - help -- name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" +- name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" block: - - name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" + - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation data: 2 type: dword - - name: "19.7.4.1 | PATCH | L1 | Ensure Do not preserve zone information in file attachments is set to Disabled" + - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation @@ -159,17 +165,18 @@ - level1-memberserver - rule_19.7.4.1 - patch + - attachments -- name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" +- name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" block: - - name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" + - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus data: 3 type: dword - - name: "19.7.4.2 | PATCH | L1 | Ensure Notify antivirus programs when opening attachments is set to Enabled" + - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus @@ -182,17 +189,18 @@ - level1-memberserver - rule_19.7.4.2 - patch + - antivirus -- name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" +- name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" block: - - name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - - name: "19.7.8.1 | PATCH | L1 | Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight @@ -205,17 +213,18 @@ - level1-memberserver - rule_19.7.8.1 - patch + - spotlight -- name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" +- name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" block: - - name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - - name: "19.7.8.2 | PATCH | L1 | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions @@ -228,17 +237,18 @@ - level1-memberserver - rule_19.7.8.2 - patch + - spotlight -- name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" +- name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" block: - - name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - - name: "19.7.8.3 | PATCH | L2 | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData @@ -251,17 +261,18 @@ - level2-memberserver - rule_19.7.8.3 - patch + - tailoredexperiences -- name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" +- name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" block: - - name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - - name: "19.7.8.4 | PATCH | L2 | Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures @@ -274,17 +285,33 @@ - level2-memberserver - rule_19.7.8.4 - patch + - spotlight + +- name: "19.7.8.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" + win_regedit: + path: HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableSpotlightCollectionOnDesktop + data: 1 + type: dword + when: + - rule_19_7_8_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_19.7.8.4 + - patch + - spotlight -- name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" +- name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" block: - - name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - - name: "19.7.28.1 | PATCH | L1 | Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing @@ -297,17 +324,19 @@ - level1-memberserver - rule_19.7.28.1 - patch + - profiles + - sharing -- name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" +- name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" block: - - name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - - name: "19.7.43.1 | PATCH | L1 | Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated @@ -320,17 +349,18 @@ - level1-memberserver - rule_19.7.43.1 - patch + - permissions -- name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" +- name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" block: - - name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - - name: "19.7.47.2.1 | PATCH | L2 | Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload @@ -343,3 +373,4 @@ - level2-memberserver - rule_19.7.47.2.1 - patch + - codec